Re: [TCLUG:13133] NAT with one network card?

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:13133] NAT with one network card?
From: ^chewie <chewie@wookimus.net>
Date: Wed, 2 Feb 2000 06:23:14 -0800
In-Reply-To: <Pine.LNX.3.96.1000201233838.29376A-100000@draco.tneu.visi.com>; from tim@tneu.visi.com on Tue, Feb 01, 2000 at 11:39:56PM -0600
References: <Pine.GSO.4.10.10001311442150.24821-100000@isis.visi.com> <Pine.LNX.3.96.1000201233838.29376A-100000@draco.tneu.visi.com>
User-Agent: Mutt/1.0i

> > On Mon, 31 Jan 2000, Jeff Hallgren wrote:
> > 
> > > Quick question: All of the cookbooks/Howtos I've seen for setting up
> > > NAT on a linux box assumes there are 2 ethernet cards in the box
> > > with different IPs...  Isn't it possible to assign an additional
> > > (private network) IP to an existing card already using the ISPs
> > > static IP with ifconfig? Then set up some addtional routing for it.?
> > > Or do I really need to install another card?

Yes, it is possible to assign an IP alias to your network cards.  This
works well when you're providing services such as web sites, ftp sites,
DNS, DHCP, etc.  Ben Kochie likes to use IP aliasing for his DHCP
services.  When the primary machine is having problems, the second one can
reassign it's own IP alias and begin serving the DHCP services.  It's
actually a slick little solution.

But, your question is directed toward using the same network card to serve
both as a gateway to your private IP and as a receptor for the public IP.
This is NOT a good thing to do for a few reasons.  First and foremost is
the kernel rules for IP filtering...they don't deal with aliased IP's very
well.  I'm not very current on what works and what doesn't, but last I
heard, setting up filters on an aliased (virtual) interface is a Bad Thing
(tm).

The second reason why you shouldn't do this is because you cannot force
your other network machines down the gateway pipe.  The other machines on
your HUB will be able to directly access the network by forcing their own
traffic to the network-connected internet device.

A third reason why this isn't a good idea is because unless you have a
switch, your private network traffic is open for sniffing season...  IOW,
it's not private anymore.

The main reason for the two network cards is traffic isolation, which is
something you cannot obtain by subnetting on a shared hub.

So, in review, why NOT to use interface aliasing as a technique for
NAT/firewalling:

	* The kernel doesn't support IP filtering on aliased interfaces
	* The subnetted devices may still have access to your Internet
		gateway
	* Likewise, your Internet gateway may house sniffers that can
		snoop in on your insecure NAT network.
	* You loose traffic isolation, thus you loose control of your
		network.

-- 
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr               http://wookimus.net/~chewie

PGP signature

References:
- Re: [TCLUG:13133] NAT with one network card?
  - From: Tim Neu <tim@tneu.visi.com>

Prev by Date: Re: [TCLUG:13133] NAT with one network card?
Next by Date: Re: [TCLUG:13146] VI quick reference
Prev by thread: Re: [TCLUG:13133] NAT with one network card?
Next by thread: win2k
Index(es):
- Date
- Thread