[Techtalk] reality check from networking gurus wanted

Carla Schroder carla at bratgrrl.com
Fri Sep 22 22:36:50 UTC 2006

I've been reading this article over and over, and I'm not getting it:

Is the article correct and I'm just being thick, or is the author missing the boat? For example:

"Home users who talk about NAT are actually talking about PAT, or Port Address Translation. This is quite easy to remember: PAT translates ports, as the name implies, and likewise, NAT translates addresses."

Well now, my iptables rules definitely translate addresses. This snippet is for a network with a static routable public IP, and a Web server in a DMZ on a private IP:

$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --dport 80 -j DNAT --to-destination
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d --dport 80  -j ALLOW

DNAT translates the destination address, and outgoing packets are source-natted to the public IP:

$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j SNAT --to-source

Sure looks like address translation to me.

The concluding statement has me puzzled:

"IPv6 introduces the ability to have way more IP addresses than we really need. Does that mean that IPv6 will eliminate NAT? No. It also won't eliminate the usage of NAT everyone's familiar with: PAT. We all need somewhere to stow Windows boxes away from the myriad of uninitiated connection attempts that come from the Internet."

I look forward to IPv6 taking over and thereby bit-bucketing NAT forever with a glad heart. It's a kludge that has served its purpose; now it's time to start thinking about retirement. There ways other than NAT to protect private hosts, such as plain ole iptables filters, and IPv6 provides private addresses.

I'm digging deeply into both iptables and IPv6, and I'm working hard to get it right. I appreciate any comments from y'all smart kids.

 Carla Schroder
 check out my "Linux Cookbook", the ultimate Linux user's
 and sysadmin's guide! http://www.oreilly.com/catalog/linuxckbk/

More information about the Techtalk mailing list