[Gllug] IP Masquerading / Proxy servers / default routes

Alex Hudson home at alexhudson.com
Tue Aug 28 21:32:26 UTC 2001


On Tue, Aug 28, 2001 at 02:50:06PM +0100, Jim Cheetham wrote:
> To extend: Linux Masquerading is generally Port Address Translation -
> all outgoing connections appear to be from the same IP address, but from
> different source ports.

It's not port address translation; it's source NAT. Consider computer A
connecting to computer C. The five-tuple is:
	A: 192.168.0.5,20000
	C: 1.2.3.4,80,tcp
If A masqs through B, the connections will actually be:
	A: 192.168.0.5,20000
	B: 192.168.0.1,*,tcp
	B: 4.3.2.1,40000 (1)
	C: 1.2.3.4,80,tcp
(Obviously, all of these numbers are made up)

As well as the apparant source (1) changing port, it's also changed IP
address. The change of IP address is precisely what breaks FTP along with
change of port address. It's a complete bodge, rather than a partial one ;)

> NAT is Network Address Translation, and the term is often used
> inconsistently.

Absolutely agree ;) You're correct - true NAT is a many-to-many relation.

> Proxys are *very useful* in big production environments

Absolutely agree again. In fact, proxies break protocols less that NAT too.
Proxies maintain end-to-end agreements, NAT breaks them. Last time I saw
Rusty Russell one of the things he said that stuck in my mind was "if we
need NAT when we go to IPv6, we'll have done something seriously wrong". I
agree - layer 5+ proxies are the way forward. True, it's slower than NAT,
but these days that makes very little difference in ~100% of applications.

(Rusty also said he thought the transition to IPv6 wasn't going to happen,
so the point is perhaps somewhat moot ;)

> service gets created, people stuck behind proxy firewalls have to start
> circumventing it, or do without. There are benefits to both/all :-)

Generally, if a firewall allows out traffic, you can circumvent it. It's
just the amount of effort it takes. I've seen people encapsulate ppp over
http before :( 

Cheers,

Alex.

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list