Hi All,
I have some dobts about NAT(network address translation) . As i understood that NAT is used to share one internet connection in between many machines which doesnt have public ip addresses e.g. for interanet. So according to it all the out going packets from interanet to internet is masked and when response come backs for these packets it is unmasked and sent to the machine, who has initiated the request.

Here my doubt comes :
If i have properly working NAT then only the packets, which are the responses for some interanet machine request, MUST be forwarded only and any packets which has not been destinated for any interanet machine MUSt not come inside. am I right or what is the real scenerio???
If it is so then i dont need any firewall for incoming connections, is it??

If some body has idea about my doubts, please help me.
Thanks in advance
Best Regards

as i know it is possible to pass your NAT box and reach the local network.
make it very hard to pass your NAT box (nothing is impossible). :
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth_local -s local_net/subnet -j ACCEPT

so only ESTABLISHED RELATED packets will be allowed for both direction. all of packets will be allowed if they comes from intranet and goes to internet.

dont forget, someone still can find a way to hack your box. maybe iptables wont let them but maybe hacker finds a security hole in iptables or other services. who knows at least u wont be hacked by kids

previous post gives added protection against break-ins.
The experienced guys have ways to forge packets and fooling the NAT to let through packets believing they belong to an established connection.
You firewall settings should contain some more rules to drop the most common ways of trying to get passed the firewall. Have a look at one of the many firewall scripts circling around and try to figure out how it works.