Network 10.0.0.0 Networks 172.16.0.0 to 172.31.0.0 (Network 172.16.0.0 is used for the examples in this book) Networks 192.168.0.0 to 192.168.255.0 Private network numbers are popular, and for some good reasons: Using a private network number reduces paperwork. You don’t have to ask anyone’s permission to use these addresses. No applications, no fees. Just do it. The addresses are yours. If you change ISPs, there is no need to renumber the hosts on the network. You may need to change the configuration of the NAT box, but that is probably easier than changing the configuration of all of your desktop systems. You conserve IP addresses. Having more addresses than you really need can make designing a network much easier, but you don’t want more than you need if you’re wasting valuable IP addresses. When you use private addresses, you don’t waste any IP addresses. These addresses are reuseable, and the same addresses you’re using are probably being used by hundreds of other private networks around the world. Private IP addresses reduce address spoofing. Spoofing is a security attack in which someone at a remote location pretends to be on your local network by using one of your network addresses. Private IP addresses should not be forwarded through the Internet, so spoofing one of these addresses won’t do the attacker much good. Private network numbers are explicitly defined for private use. They cannot be routed through the Internet because any number of private networks might be using the same addresses. Before packets originating from a host that uses a private IP address can be forwarded to an external network, the source address in the packet must be converted to a valid Internet address. Weigh all of the factors before you decide to use NAT. Network address translation has some problems: It places a small additional overhead on the router, which reduces the router’s performance. It doesn’t work well with all protocols. TCP/IP protocols were not designed with NAT in mind. It interferes with end-to-end authentication schemes that authenticate the source address. Linux 2.4 implements IP address translation in the kernel using the iptables command. Linux includes IP address translation as part of the firewall software that comes with the system. Firewalls and how to configure a Linux server as a firewall are discussed in Chapter 12, “Security.” Chapter 12 provides the real details of the iptables command. This chapter looks at the one aspect of the iptables command that allows you to translate addresses. Configuring a Linux NAT Server Despite the fact that address translation is included in the packet-filtering software used to build a firewall, it is not specifically a security feature. A very common use for address translation is to connect a small network to the Internet. Assume that you have a small office network that connects to the Internet through a local ISP. Further, assume that the ISP assigns the office only one IP address, even though you have four computers on your network. Using a Linux NAT box, all four computers can communicate with the Internet with only one valid IP address. The iptables command processes packets through sets of filtering rules. These sets of rules are called chains. The primary reason to construct these rules is security, and the chains that apply to security are described in Chapter 12. When iptables is used for address translation, which Linux 226
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services