RuggedCom RX1000 Network Router User Manual


 
RuggedRouter® User Guide
In practice an iptables rule file and a script are all that are needed to load the netfilter
system with rules on upon router start up. The iptables rules, however, are somewhat
difficult to configure and manage.
The Shoreline Firewall, often known as shorewall, offers a more convenient approach.
Shorewall is really just a front end to netfilter, maintaining the information used to
generate the iptables rules in a less complicated form.
Shorewall itself does not provide a graphical front end, and instead assumes
administrators will have a fair amount of familiarity with reading and editing Linux
configuration files. The RuggedRouter comes with a GUI front that simplifies some
of the management aspects.
Network Address Translation
Network Address Translation (NAT), enables a LAN to use one set of IP addresses
for internal traffic and a second set for external traffic. The NAT function of netfilter
makes all necessary IP address translations as traffic passes between the intranet and
Internet. NAT is often referred to in Linux as IP Maquerading.
NAT itself provides a type of firewall by hiding internal IP addresses.
More importantly, NAT enables a network to use more internal IP addresses. Since
they're used internally only, there's no possibility of conflict with IP addresses used by
other organizations. Typically, your internal network will be setup to use one or more
of the reserved address blocks described in RFC1918, namely:
10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
As packets with these address reach the NAT gateway their source address and source
TCP/UDP port number is recorded and the address/port number is translated to the
public IP address and an unused port number on the public interface. When the
Internet host replies to the internal machine's packets, they will be addressed to the
NAT gateway's external IP at the translation port number. The NAT gateway will then
search its tables and make the opposite changes it made to the outgoing packets and
forward the reply packets on to the internal machine.
Translation of ICMP packets happens in a similar fashion but without the source port
modification.
NAT can be used in static and dynamic modes. Static NAT masks the private IP
addresses by translating each internal address to a unique external address. Dynamic
NAT translates all internal addresses to one (or more) external address(es).
110 RuggedCom