Craig White wrote: > On Sat, 2005-11-05 at 08:25 -0600, Nathaniel Hall wrote: > >>Craig White wrote: >> >> >>>On Fri, 2005-11-04 at 08:35 -0600, Nathaniel Hall wrote: >>> >>> >>> >>>>I know this sounds like a stupid questions, but I'm gonna ask anyway. I >>>>would like to create a router using Fedora Core 3 (or 4) and netfilter, >>>>but I don't want to masquerade. Am I going to have to do SNAT and DNAT >>>>or is there any way I can do it without any kind of nat. >>>> >>>> >>> >>>---- >>>it might be easier to make suggestions if it were clearer what you had >>>in mind. >>> >>>A router doesn't need to do NAT if the clients know where there are >>>going (i.e. static routes) or it very well may be a proxy server like >>>squid will do what you want. >>> >>>Craig >>> >>> >> >>I have a setup with multiple firewalls around my DMZ. The DMZ is >>addressed with legal IP addresses and the internal network is addressed >>with private addresses. I perform many to one NAT on the external >>firewall and simply route (and filter) at the internal firewall. This >>keeps me from having to figure out which internal IP address was NATed >>to which external IP address when I am looking at access logs. The >>internal firewall took very little setup, but it isn't netfilter. Is >>there any way to get FC4 to do the same? > > ---- > Still not entirely clear but perhaps I'm not smart enough. It sounds to > me like you are doing a double NAT with both firewalls. > > Thinking that your external firewall provides NAT to computers in DMZ > and external address of your internal firewall and your internal > firewall is providing NAT to your the private address systems on your > LAN, then your systems on the LAN are using the internal IP of your > internal firewall as their default gateway and that means the internal > firewall is providing NAT. > > If you didn't want to do NAT through the internal firewall, you would > have to set the default gateway to the internal side of your external > firewall and a static route for these systems to know how to get there > which seems to be too much of a hassle...hence doing NAT on the internal > firewall makes sense. > > Craig > > If you don't mind dedicating a box solely to this effort, you could try the GPL'd version of smoothwall, which is available here: http://www.smoothwall.org As I understand it, their relationship to the commercial product that Smoothwall, Ltd. sells is similar to the Fedora Project's relationship to RHEL: the former is a testing grounds for the later (although it doesn't appear to be as "open" a process). For what it's worth I run the commercial version on my home network and haven't had any issues at all. And no, no one is paying me to say this! Good Luck, DP -- David-Paul Niner, RHCE Orange Park, Florida, United States GPG Key ID: 0x106B54E3
