I''m currently trying to clean up my shorewall rules as they''ve gotten so cluttered I don''t know which way is up. Question: In the http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html document, there is a delineation between port-forwarding to DNAT''d virtual interfaces and one-to-one NAT''ing along with different rules handling for one vs. the other. Is there any advantage of one methodology over the other for internal hosts one would want to map distinct Public IP''s for a few specific services on each virtual interface? From the above document, it seems that the only real difference is whether the virtual interface setup is handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT example). Am I reading that correctly? Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
I believe that the way it was intended to work, was if you only want a few ports forwarded you use DNAT, but if you want to forward everything and *then* control what ports etc to permit, you use one-on-one and ACCEPT. The advantage of DNAT is you don''t need to add one-on-one NAT rules in, or worry about default-accept policies etc, as you''re only allowing certain "lanes" of access, compared to opening the whole motorway, and putting up roadblocks. Think of it as port forwarding (DNAT) versus DMZ''ing (NAT) DNAT''s characteristics: - works great for simple "I need 3 ports" scenarios - allows sharing of a single IP amongst multiple servers - only one rule to add per server/service (DNAT source_ip, dest_ip, port....) - traffic to the zone in question goes out from the server''s actual IP (unless told otherwise) one-on-one NAT''s characteristics: - works great for more general "I need this server accessable from the Internet" scenarios (think DMZ) - does not allow sharing of a single IP amongst multiple servers - rules to add per server (NAT public_ip, private_ip) and per service (ACCEPT source_ip dest_ip, port...) - traffic to the zone in question goes out from it''s NAT''ed IP Hope this helps you. Jan On 01/06/06, Keith Mitchell <keithm@paisd.com> wrote:> > I''m currently trying to clean up my shorewall rules as they''ve gotten so > cluttered I don''t know which way is up. > > Question: In the > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html document, > there is a delineation between port-forwarding to DNAT''d virtual > interfaces and one-to-one NAT''ing along with different rules handling > for one vs. the other. > > Is there any advantage of one methodology over the other for internal > hosts one would want to map distinct Public IP''s for a few specific > services on each virtual interface? From the above document, it seems > that the only real difference is whether the virtual interface setup is > handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT > example). Am I reading that correctly? > > Keith Mitchell > CTO > Productivity Associates, Inc. > 5625 Ruffin Rd STE 220 > San Diego, CA 92123 > 858-495-3528 (Direct) > 858-495-3540 (Fax) > > > ------------------------------------------------------- > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > Fully trained technicians. The highest number of Red Hat certifications in > the hosting industry. Fanatical Support. Click to learn more > http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
Thanks Jan, that actually helps me greatly! ________________________________ From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jan Mulders Sent: Thursday, June 01, 2006 1:52 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall and Aliased Interfaces. I believe that the way it was intended to work, was if you only want a few ports forwarded you use DNAT, but if you want to forward everything and *then* control what ports etc to permit, you use one-on-one and ACCEPT. The advantage of DNAT is you don''t need to add one-on-one NAT rules in, or worry about default-accept policies etc, as you''re only allowing certain "lanes" of access, compared to opening the whole motorway, and putting up roadblocks. Think of it as port forwarding (DNAT) versus DMZ''ing (NAT) DNAT''s characteristics: - works great for simple "I need 3 ports" scenarios - allows sharing of a single IP amongst multiple servers - only one rule to add per server/service (DNAT source_ip, dest_ip, port....) - traffic to the zone in question goes out from the server''s actual IP (unless told otherwise) one-on-one NAT''s characteristics: - works great for more general "I need this server accessable from the Internet" scenarios (think DMZ) - does not allow sharing of a single IP amongst multiple servers - rules to add per server (NAT public_ip, private_ip) and per service (ACCEPT source_ip dest_ip, port...) - traffic to the zone in question goes out from it''s NAT''ed IP Hope this helps you. Jan On 01/06/06, Keith Mitchell <keithm@paisd.com> wrote: I''m currently trying to clean up my shorewall rules as they''ve gotten so cluttered I don''t know which way is up. Question: In the http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html document, there is a delineation between port-forwarding to DNAT''d virtual interfaces and one-to-one NAT''ing along with different rules handling for one vs. the other. Is there any advantage of one methodology over the other for internal hosts one would want to map distinct Public IP''s for a few specific services on each virtual interface? From the above document, it seems that the only real difference is whether the virtual interface setup is handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT example). Am I reading that correctly? Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Keith Mitchell wrote:> From the above document, it seems > that the only real difference is whether the virtual interface setup is > handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT > example). Am I reading that correctly?One clarification in addition to what Jan has posted -- virtual interface setup is always handled by user space utilities. In the One-to-one NAT case, Shorewall can run the utility -- in the DNAT case, you must rely on your distribution''s networking startup scripts to run the utility. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
no problem, glad I could be of help :) Seems I''ve spent so long pestering the list for information, it''s about time I gave back some of the knowledge gleaned from it! Regards, Jan On 01/06/06, Keith Mitchell <keithm@paisd.com> wrote:> > Thanks Jan, that actually helps me greatly! > > ------------------------------ > *From:* shorewall-users-admin@lists.sourceforge.net [mailto: > shorewall-users-admin@lists.sourceforge.net] *On Behalf Of *Jan Mulders > *Sent:* Thursday, June 01, 2006 1:52 PM > *To:* shorewall-users@lists.sourceforge.net > *Subject:* Re: [Shorewall-users] Shorewall and Aliased Interfaces. > > I believe that the way it was intended to work, was if you only want a few > ports forwarded you use DNAT, but if you want to forward everything and > *then* control what ports etc to permit, you use one-on-one and ACCEPT. The > advantage of DNAT is you don''t need to add one-on-one NAT rules in, or worry > about default-accept policies etc, as you''re only allowing certain "lanes" > of access, compared to opening the whole motorway, and putting up > roadblocks. > > Think of it as port forwarding (DNAT) versus DMZ''ing (NAT) > > DNAT''s characteristics: > - works great for simple "I need 3 ports" scenarios > - allows sharing of a single IP amongst multiple servers > - only one rule to add per server/service (DNAT source_ip, dest_ip, > port....) > - traffic to the zone in question goes out from the server''s actual IP > (unless told otherwise) > > one-on-one NAT''s characteristics: > - works great for more general "I need this server accessable from the > Internet" scenarios (think DMZ) > - does not allow sharing of a single IP amongst multiple servers > - rules to add per server (NAT public_ip, private_ip) and per service > (ACCEPT source_ip dest_ip, port...) > - traffic to the zone in question goes out from it''s NAT''ed IP > > Hope this helps you. > > Jan > > On 01/06/06, Keith Mitchell <keithm@paisd.com> wrote: > > > I''m currently trying to clean up my shorewall rules as they''ve gotten so > > cluttered I don''t know which way is up. > > > > Question: In the > > http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html document, > > there is a delineation between port-forwarding to DNAT''d virtual > > interfaces and one-to-one NAT''ing along with different rules handling > > for one vs. the other. > > > > Is there any advantage of one methodology over the other for internal > > hosts one would want to map distinct Public IP''s for a few specific > > services on each virtual interface? From the above document, it seems > > that the only real difference is whether the virtual interface setup is > > handled by the OS (the DNAT example) or Shorewall (the One-to-One NAT > > example). Am I reading that correctly? > > > > Keith Mitchell > > CTO > > Productivity Associates, Inc. > > 5625 Ruffin Rd STE 220 > > San Diego, CA 92123 > > 858-495-3528 (Direct) > > 858-495-3540 (Fax) > > > > > > ------------------------------------------------------- > > All the advantages of Linux Managed Hosting--Without the Cost and Risk! > > Fully trained technicians. The highest number of Red Hat certifications > > in > > the hosting industry. Fanatical Support. Click to learn more > > http://sel.as-us.falkag.net/sel?cmdlnk&kid7521&bid$8729&dat1642 > > <http://sel.as-us.falkag.net/sel?cmdlnk&kid%107521&bid$8729&dat%121642> > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >