Advice sought on machine web-server safe
STYMA, ROBERT E (ROBERT)
stymar at lucent.com
Fri Nov 18 14:04:57 UTC 2005
> Chain ppp0_masq (1 references)
> target prot opt source destination
> MASQUERADE all -- 192.168.1.0/24 anywhere
> MASQUERADE all -- 192.168.3.0/24 anywhere
> MASQUERADE all -- 169.254.0.0/16 anywhere
> --------------------------------------------
>
> As a matter of interest, is it possible
> to run a home network _without_ NAT?
>
> > If you would like a simple way out, you can consider
> > getting an inexpensive DSL/Cable router.
>
> Several people have suggested this,
> but I'm not sure why it is thought better than iptables on a computer.
> It seems to me that a router is a black box,
> and you're basically trusting software you know nothing about
> to only allow certain packets through.
> Isn't that slightly against the Linux philosophy?
>
1. The presence of the non-routable addresses (192.168.*.*)
does indicate the presense of NAT>
2. The DSL cable router is a simplied solution to the problem.
Iptables is a full featured firewall suitable for
business applications. You can devise vary intricate rules
to meet a host of needs. As a result the rule generation
is suitably full featured and therefore complex.
Using IPtables and 2 Nic cards you are using your Linux box
as your firewall router. A lot of people like to do it this
way. The downside is that if you turn your Linux box off for
whatever reason, you have disconnected your other computers
from the internet. The DSL/Cable routers usually have 4 or 8
RJ45 plugs for computers. Your Linux box is not required to
be on for the other computers to access the internet.
There are plenty of arguments for both ways of doing this.
3. If you are really hard core Linux, you can get an embedded Linux
that will run on a Linksys router. Then you can know all about
the software running on your router. I have never tried this
myself, but there is plenty of discussion on it in the newsgroups.
Bob Styma
More information about the fedora-list
mailing list