[Coldstuff] IP Masq / forwarding

Brad Roberts coldstuff@cold.org
Wed, 20 Feb 2002 12:30:44 -0800 (PST)

On Wed, 20 Feb 2002, Brandon Gillespie wrote:

> On Wed, Feb 20, 2002 at 11:19:31AM -0800, Jonathan Robertson wrote:
> > I am going to be toying around with the idea of using
> > ip masq and forwarding to hide my server behind
> > another firewall.  Has anyone else already done this?
> > Comments or suggestions from anyone?
> Please correct me if I'm wrong, but isn't linux's IP masquerading just
> PAT/NAT?  If so, its not really appropriate for a server (inbound) and
> was originally designed to hide a network behind a single IP address
> (outbound).  While you can manage inbound on a port by port basis to a
> server... why would you in this situation?  It would work, but you
> dont get much value and you do get more complexity...
> -Brandon

Appropriate is very much in the eye of the beholder.  Hiding a box behind
NAT and doing port forwarding can often be a big advantage.

- You gain a reasonable measure of security by having only specifically
forwarded ports accessible on the internal machine.

- You gain device independence by not having the public network aware of
the actual address of the box being forwarded to.

- With NAT engine a little more powerful than the current Linux
implementation (well, I don't know for a fact that linux's can't do this,
but I'm not sure it can either) you could even do load balancing across
multiple boxes from a central NAT point.  Granted, this wouldn't be a good
thing for a mud.

- Lastly, hardening a single box that's doing the NAT work can be a lot
easier than hardening every machine behind it.  With only a few known
ports getting through to a few very well defined machines, the network
behind the NAT point can afford to be less hardened.