On Mon, 22 Oct 2001 nfudd@xxxxxxxxxxxx wrote:
> On Fri, 19 Oct 2001, Matthew G. Marsh wrote:
>
> > > Where can I find more information on one-to-one NAT?
> >
> > Actually 1-2-1 NAT is merely shorthand to distinguish which NAT I was
> > talking about. NAT essentially comes in two flavours:
> >
> > 1-2-1 is where one ip address is uniquely mapped onto another ip address
> >
> > Many-2-1 is where multiple ip addresses are mapped onto one ip address
> > (covers both 1-2-Many and Many-2-1 mappings)
> >
> > 1-2-1 is traditionally thought of as a "routed NAT" where a router
> > performs the unique change of addresses.
> >
> > Many-2-1 is what is thought of as "IP Masquerade"
> >
> > Both functions are available with the same NetFilter commands.
> > Additionally 1-2-1 NAT is done by the FastNAT structures that are part of
> > the RPDB within Linux kernels. However NetFilter conntrack is not
> > compatible with FastNAT and thus if you use NetFilter conntrack then you
> > cannot use FastNAT. For your case you would be better off using NetFilter
> > NAT with conntrack in order to also apply control to the clients passthru.
> >
> > You an use FastNAT with NetFilter filters (as weirdos such as myself are
> > wont to do... ;-} ), but for standard NetFilter usage such as you need, it
> > is far easier (and you can ask people on this list for help) to use the
> > NetFilter 1-2-1 setup. I do think that someone also posted a patch that
> > allows you to do 1-2-1 NAT over a range correctly.
>
> Pardon me, but my eyes glazed over. Let me get this straight. There
> is FastNAT, and there is NetFilter. You pick one or the other when
> compiling the kernel (somehow). You can load them as modules
> (somehow). Which things are incompatible and should not be used together?
> What happens if you accidentally use them together? And is there a
> manual someplace, or maybe a test suite...
The only one which can (and should) be modularized is the NetFilter
conntrack. Indeed so long as the conntrack module is not loaded you can
use the NAT capabilities of the routing code (this code is referred to as
FastNAT).
The part to remember is that NetFilter is actually a set of hooks build
into the kernel which allow various software and related modules to
provide "firewall" capabilities to Linux. This is a good thing as the
extensibility of such a framework is available to anyone who wishes to
program to those intefaces. However do not confuse this framework with the
programs that allow you to perform tasks - such as iptables and conntrack.
The framework is compatible with and coexists quite well with the routing
code within the kernel - this is the RPDB (Routing Protocol DataBase)
which provides both simple (the standard route/ifconfig) IP networking as
well as (iproute2) advanced IP networking.
The one point of friction - which is what I refer to when I speak of
incompatibility in the context of this thread - is that NetFilter
conntrack, an external module to the kernel, "breaks" the RPDB sections
that allow FastNAT. This is not a bad thing due to the fact that conntrack
provides stateful inspection by reason of providing the notion of
"Connection" as a variable to the packet filtering engine (NetFilter).
Indeed I use both types of NAT in different situations depending on the
job I wish to get done. Neither one is a panacea for all NAT.
> > > "The personal computer allows you to make more mistakes faster than
> > > any other invention in human history, with the possible exceptions of
> > > handguns and tequila."
> > > (It's the mistakes made with handguns, computers *and* tequila that
> > > are really spectacular!)
> >
> > ROFL! (having seen and/or participated in such mistakes...)
>
> Yikes... what hardware got bullet-holed? :-)
Hehehehe - I remember when a freind of mine purchased some
"armour-piercing" ammunition and we decided to try them out on an old AT
case. Figured it was fairly thick steel (you know - the cases you would
use whenever there was no stepladder handy). Afterwards (so I guess it
does not really count) we retired to view the videotape while sipping
margeuritas(sp). Unfortunately none of us can find the videotape... sigh -
probably in an ATF warehouse somewhere in case they "need" us.
> --
> N Fudd -- nfudd@xxxxxxxxxxxx
> Methuselah lived to be 969 years old. You boys and girls will see more
> in the next fifty years than Methuselah saw in his whole lifetime.
> - Mark Twain
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250 x101
Email: mgm@xxxxxxxxxxxxx
WWW: http://www.paktronix.com
--------------------------------------------------
|