Книга: Iptables Tutorial 1.2.2
Placement of NAT machines
Placement of NAT machines
This should look fairly simple, however, it may be harder than you originally thought in large networks. In general, the NAT machine should be placed on the perimeter of the network, just like any filtering machine out there. This, most of the time, means that the NAT and filtering machines are the same machine, of course. Also worth a thought, if you have very large networks, it may be worth splitting the network into smaller networks and assign a NAT/filtering machine for each of these networks. Since NAT takes quite a lot of processing power, this will definitely help keep round trip time (RTT, the time it takes for a packet to reach a destination and the return packet to get back) down.
In our example network as we described above, with two networks and an Internet connection we should, in other words, look at how large the two networks are. If we can consider them to be small and depending on what requirements the clients have, a couple of hundred clients should be no problem on a decent NAT machine. Otherwise, we could have split up the load over several machines by setting public IP's on smaller NAT machines, each handling their own smaller segment of the network and then let the traffic congregate over a specific routing only machine. This of course takes into consideration that you must have enough public IP's for all of your NAT machines, and that they are routed through your routing machine.
- 7.2.10. Цепочка PREROUTING таблицы nat
- Appendix A. Detailed explanations of special commands
- What NAT is used for and basic terms and expressions
- Caveats using NAT
- Example NAT machine in theory
- ICMP Destination Unreachable
- What is needed to build a NAT machine
- The final stage of our NAT machine
- Nat table
- DNAT target
- SNAT target
- explanation of rc.firewall