Sunday, October 17, 2010

NAT,DMZ,PAT,Portforwarding,Machine to Machine

1.https://supportforums.cisco.com/message/3190440
2.
Router has:
inner bound || DMZ || outer bound
NAT SPAM NAT

1.DMZ input is a local ip
2.NAT is a wrapper around DMZ
3.NAT has a ART table
4.if there is only single public ip,in the ART public ip,port local ip,port will be the entry
5.NAT is inbound initiated by default,it acts similar to a firewall since only the applications
that seeks a connection will have entry in the ART

6.static nat,port forwarding are similar
7.nat can be interface,ip,port based
8.NAT from inner to outer,portforward,dmz,static nat outer to inner

9.Subnets
1.all nodes behind a single gw assigned ip addresses in different subnets is of less use
arp will resolve the mac and that will direct the packets
2.if the nodes are on two sides of the gw it will be more useful
the gw will have routing information about two subnets and packets will trascend the gw
3.

10.Use ip tables to setup DMZ and NAT entries

11.Illustrated nat setup
http://doc.m0n0.ch/handbook/examples.html

12.typical nat rule
Original Packet:
==============
Source: DMZ Network (or object for DMZ server)
Destination: Internal Network (usually a group object containing all your internal subnets)
Service: Any

Translated Packet:
=================
Source: Original
Destination: Original
Service: Original

12.Features
In current router,dmz is single ip based,any malware with access on dmz ip can access other pc on lan

Next advanced is router with wan ,wifi,lan + optional interface.This optional i/f can be configured for a dmz subnet.That subnet can be prevented from accessing lan subnet

13.wherever iptables command is accessible in firmware..advanced configurations can be tested

14.For VPN on Router the server acts like a gw with dhcp and different subnet/same subnet
the configuration can be software switch with one port bridged to hardware switch ... ??

No comments:

Post a Comment