Hi,
Basically there are two 'current' kernel level implementations for doing
ip-filtering and masquerading. They are:
ipfwadm kernel 2.0.*
ipchains kernel 2.2.*
There will be a new system for 2.4.* as you note which is more generic and
technically could support non-IP protocols (woo woo securing DECnet!).
In either instance you can masquerade a network range behind the public IP of
the Linux box.
For various reasons I am more familiar with ipfwadm. Under that system there
are no masquerading rules just forwarding rules that masquerade so it is very
straightforward. The ipmasquerading HOWTO, and the Firewalls HOWTO are both
very good.
So in short you can hide the network behind the Linux box however there is a
wrinkle ;-) I am not aware (I could be wrong ofc) of either solution
supporting 'illegal NAT' where the system understands that the internal LAN
IP's are wrong: so I don't think you will be able to connect to Internet hosts
in the 95.*.*.* range because the Linux box will assume that these IP's are on
the local side. I'm afraid you're a bit snookered using a Class A range like
that.
You can use something called port forwarding to allow access to the web server
on the LAN from the Internet. I cannot stress too heavily what a bad idea this
is since if the server gets cracked you have left a nice open path into your
LAN. You would be better using a third interface on the Linux box and placing
the web server here - sometimes this is called a DMZ (DeMilitarised Zone) which
is an area with s lower security level but still protected. If you want to
know more I'd suggest reading/digesting 'Firewalls and Internet Security' by
Chewsick and Bellovin.
To be honest if you have FW-1 in and a support company that is reliable I can't
see what advantages there are to throwing it out in place of Linux.
HTH,
Steve
On Thu, Oct 07, 1999 at 11:48:10AM +0530, venu wrote:
<SNIP>
> we have a legacy network which has IPs : 95.x.x.x ( NOT REGISTERED, i.e
> illegal)
> that we can't change now !!! ( those network enginners of 1994,when the
> network
> was installed; obviously did not know about rfc1918 )
>
> now we want to connect this network to the Internet... we cannot re-number our
> network... so i looked at using a linux box with NAT ...that should be
> straight
> forward ... right ? wrong ! hey this is fun !!
>
> and i am a bit confused...
<SNIP>
