لطفا منتظر باشید ...
9.1. Side Effects and Fringe Benefits
The IP
masquerade facility comes with its own set of side effects, some of
which are useful and some of which might become bothersome.None
of the hosts on the supported network behind the masquerade router
are ever directly seen; consequently, you need only one valid and
routable IP address to allow all hosts to make network connections
out onto the Internet. This has a downside: none of those hosts are
visible from the Internet and you can't directly
connect to them from the Internet; the only host visible on a
masqueraded network is the masquerade host itself. This is important
when you consider services such as mail or FTP. It helps determine
what services should be provided by the masquerade host and what
services it should proxy or otherwise treat specially.
However, you can use DNAT
(Destination NAT) on the router to route inbound
connections to certain ports to internal servers. This works great
for web and mail servers. You can run those services on hosts on the
private network, and use DNAT to forward inbound connections to port
80 and port 25 to the appropriate internal servers. This way, the
router host is only involved in routing, not in providing any
externally visible services. You can use the same technique to route
incoming connections to a high-numbered port (say, 4022) to the
Secure Shell (SSH) port (usually 22) on an internal host so you can
SSH directly into one of your internal hosts through the router.Because none of the masqueraded hosts are
visible, they are relatively protected from attacks from outside. You
can have one host serve as your firewall and masquerading router.
Your whole network will be only as safe as your masquerade host, so
you should use firewall rules to protect it and you should not run
any other externally visible services on it.IP masquerade will have some
impact on the performance of your networking. In typical
configurations this will probably be barely measurable. If you have
large numbers of active masquerade sessions, though, you may find
that the processing required at the masquerade host begins to impact
your network throughput. IP masquerade must do a good deal of work
for each packet compared to the process of conventional routing. That
low-end host you have been planning on using as a masquerade host
supporting a personal link to the Internet might be fine, but
don't expect too much if you decide you want to use
it as a router in your corporate network at Ethernet speeds.
Finally, some network services just
won't work through masquerade, or at least not
without a lot of help. Typically, these are services that rely on
incoming sessions to work, such as some types of Direct
Communications Channels (DCC), features in IRC, or certain types of
video and audio multicasting services. Some of these services have
specially developed "helper" kernel
modules to provide solutions for these, and we'll
talk about those in a moment. For others, it is possible that you
will find no support, so be awareit won't be
suitable in all situations.
