Jan Mulders | 1 Jun 22:52 2006
Picon

Re: Shorewall and Aliased Interfaces.

I believe that the way it was intended to work, was if you only want a few ports forwarded you use DNAT, but if you want to forward everything and *then* control what ports etc to permit, you use one-on-one and ACCEPT. The advantage of DNAT is you don't need to add one-on-one NAT rules in, or worry about default-accept policies etc, as you're only allowing certain "lanes" of access, compared to opening the whole motorway, and putting up roadblocks.

Think of it as port forwarding (DNAT) versus DMZ'ing (NAT)

DNAT's characteristics:
- works great for simple "I need 3 ports" scenarios
- allows sharing of a single IP amongst multiple servers
- only one rule to add per server/service (DNAT source_ip, dest_ip, port....)
- traffic to the zone in question goes out from the server's actual IP (unless told otherwise)

one-on-one NAT's characteristics:
- works great for more general "I need this server accessable from the Internet" scenarios (think DMZ)
- does not allow sharing of a single IP amongst multiple servers
- rules to add per server (NAT public_ip, private_ip) and per service (ACCEPT source_ip dest_ip, port...)
- traffic to the zone in question goes out from it's NAT'ed IP

Hope this helps you.

Jan

On 01/06/06, Keith Mitchell <keithm <at> paisd.com> wrote:
I'm currently trying to clean up my shorewall rules as they've gotten so
cluttered I don't know which way is up.

Question:  In the
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html document,
there is a delineation between port-forwarding to DNAT'd virtual
interfaces and one-to-one NAT'ing along with different rules handling
for one vs. the other.

Is there any advantage of one methodology over the other for internal
hosts one would want to map distinct Public IP's for a few specific
services on each virtual interface?  From the above document, it seems
that the only real difference is whether the virtual interface setup is
handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT
example).  Am I reading that correctly?

Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


Gmane