291 lines
7.5 KiB
HTML
291 lines
7.5 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services? </TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux IP Masquerade HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Frequently Asked Questions"
|
|
HREF="faq.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="( Email list ) - How do I join or view the IP Masquerade and/or IP Masqurade Developers
|
|
mailing lists and archives?"
|
|
HREF="masq-list.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="( GUI ) - Are there any GUI firewall creation/management tools? "
|
|
HREF="gui-tools.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux IP Masquerade HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="masq-list.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 7. Frequently Asked Questions</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="gui-tools.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="WHAT-IS-MASQ"
|
|
></A
|
|
>7.6. ( NAT vs. Proxy ) - How does IP Masquerade differ from Proxy or NAT services?</H1
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>Proxy: Proxy servers are available for: Win95, NT, Linux, Solaris, etc.
|
|
|
|
Pro: + (1) IP address ; cheap
|
|
+ Optional caching for better performance (WWW, etc.)
|
|
|
|
Con: - All applications behind the proxy server must both SUPPORT
|
|
proxy services (SOCKS) and be CONFIGURED to use the Proxy
|
|
server
|
|
- Screws up WWW counters and WWW statistics
|
|
|
|
A proxy server uses only (1) public IP address, like IP MASQ, and acts
|
|
as a translator to clients on the private LAN (WWW browser, etc.).
|
|
This proxy server receives requests like TELNET, FTP, WWW,
|
|
etc. from the private network on one interface. It would then in turn,
|
|
initiate these requests as if someone on the local box was making the
|
|
requests. Once the remote Internet server sends back the requested
|
|
information, it would re-translate the TCP/IP addresses back to the
|
|
internal MASQ client and send traffic to the internal requesting host.
|
|
This is why it is called a PROXY server.
|
|
|
|
Note: ANY applications that you might want to use on the
|
|
internal machines *MUST* have proxy server support
|
|
like Netscape and some of the better TELNET and FTP
|
|
clients. Any clients that don't support proxy servers
|
|
won't work.
|
|
|
|
Another nice thing about proxy servers is that some of them
|
|
can also do caching (Squid for WWW). So, imagine that you have 50
|
|
proxied hosts all loading Netscape at once. If they were installed
|
|
with the default homepage URL, you would have 50 copies of the same
|
|
Netscape WWW page coming over the WAN link for each respective computer.
|
|
With a caching proxy server, only one copy would be downloaded by the
|
|
proxy server and then the proxied machines would get the WWW page from
|
|
the cache. Not only does this save bandwidth on the Internet
|
|
connection, it will be MUCH MUCH faster for the internal proxied
|
|
machines.
|
|
|
|
|
|
|
|
MASQ: IP Masq is available on Linux and a few ISDN routers such
|
|
or as the Zytel Prestige128, Cisco 770, NetGear ISDN routers, etc.
|
|
1:Many
|
|
NAT
|
|
Pro: + Only (1) IP address needed (cheap)
|
|
+ Doesn't require special application support
|
|
+ Uses firewall software so your network can become
|
|
more secure
|
|
|
|
Con: - Requires a Linux box or special ISDN router
|
|
(though other products might have this.. )
|
|
- Incoming traffic cannot access your internal LAN
|
|
unless the internal LAN initiates the traffic or
|
|
specific port forwarding software is installed.
|
|
Many NAT servers CANNOT provide this functionality.
|
|
- Special protocols need to be uniquely handled by
|
|
firewall redirectors, etc. Linux has full support
|
|
for this (FTP, IRC, etc.) capabilty but many routers
|
|
do NOT (NetGear DOES).
|
|
|
|
Masq or 1:Many NAT is similar to a proxy server in the sense that the
|
|
server will perform IP address translation and fake out the remote server
|
|
(WWW for example) as if the MASQ server made the request instead of an
|
|
internal machine.
|
|
|
|
The major difference between a MASQ and PROXY server is that MASQ servers
|
|
don't need any configuration changes to all the client machines. Just
|
|
configure them to use the linux box as their default gateway and everything
|
|
will work fine. You WILL need to install special Linux modules for things
|
|
like RealAudio, FTP, etc. to work)!
|
|
|
|
Also, many users operate IP MASQ for TELNET, FTP, etc. *AND* also setup a
|
|
caching proxy on the same Linux box for WWW traffic for the additional
|
|
performance.
|
|
|
|
|
|
NAT: NAT servers are available on Windows 95/NT, Linux, Solaris, and some
|
|
of the better ISDN routers (not Ascend)
|
|
|
|
Pro: + Very configurable
|
|
+ No special application software needed
|
|
|
|
Con: - Requires a subnet from your ISP (expensive)
|
|
|
|
Network Address Translation is the name for a box that would have a pool of
|
|
valid IP addresses on the Internet interface which it can use. Whenever the
|
|
Internal network wanted to go to the Internet, it associates an available
|
|
VALID IP address from the Internet interface to the original requesting
|
|
PRIVATE IP address. After that, all traffic is re-written from the NAT
|
|
public IP address to the NAT private address. Once the associated PUBLIC
|
|
NAT address becomes idle for some pre-determined amount of time, the
|
|
PUBLIC IP address is returned back into the public NAT pool.
|
|
|
|
The major problem with NAT is, once all of the free public IP addresses are
|
|
used, any additional private users requesting Internet service are out of
|
|
luck until a public NAT address becomes free.</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>For an excellent and very comprehensive description of the various forms of
|
|
NAT, please see:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
><A
|
|
HREF="http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html"
|
|
TARGET="_top"
|
|
>http://www.suse.de/~mha/linux-ip-nat/diplom/nat.html/</A
|
|
></P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>Here is another good site to learn about NAT, although many of the URLs are
|
|
old but still valid:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
><A
|
|
HREF="http://www.linas.org/linux/load.html"
|
|
TARGET="_top"
|
|
>http://www.linas.org/linux/load.html/</A
|
|
></P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="masq-list.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="gui-tools.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>( Email list ) - How do I join or view the IP Masquerade and/or IP Masqurade Developers
|
|
mailing lists and archives?</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>( GUI ) - Are there any GUI firewall creation/management tools?</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |