Here's the problem I have:

Westell 890 DSL router, can't make the beastie behave as a bridge, so it's currently setup at a 192.10.10.xxx NAT router.

Built a RH9 box to do iptables forwarding w/ Arno's script (I like it) and two network cards.

What problems will I have (if any) if I use both. Replacing the westell with a DSL bridge is an option, but I'd rather not replace the Westell if I don't have to. I simply don't care for it's lack of options on port forwarding/blocking, etc so I want to use the Linux box as my firewall. I've read that double NAT is "a bad thing" but why? There's going to be light traffice on the box, but I need to know if this is going to cause me more problems than it's worth.

Thanks,

Kaash

I haven't had any trouble when I've done this before... in fact I run a double NAT in my workshop through a workstation running ethereal and etherape (etc) so I can monitor internet-bound traffic easily. Very nice when I'm fixing Windows PCs... ;-)

I bit the bullet and did it. You're right works fine in my test environment (I built the thing behind an existing RH box).

Guess I'll impliment it since it works, I may rebuild the mess later using one of the CD distros, would make an interesting security system.

Hehe... good to hear

The useful thing for me is being able to carefully monitor a PC (since they usually come into the workshop loaded to the hilt with spyware/viruses) and if it begins talking a bit too much on the internet, I have a couple shell scripts handy to cut off access at the touch of a button

How are you monitoring the traffice by the by?

I've been contemplating setting something up (MRTG is good, but I want something more realtime) so I could monitor traffice like that.

Grated, my list of things to look at just keeps getting bigger....I've wanted for years to set up some bandwidth limiting stuff for iptables, etc.

if you're interested in building bridges / routers / gateways / whatever you kids call them these days, try OpenBSD. Their pf syntax is much easier on the eyes and brain than iptables syntax, which is just a command as opposed to a parsed, human-readable rule set. For instance, if I want to pass connections in on port 6346, in iptables I would have something similar the following in a script somewhere:

huh? If I'm not the one who wrote it, it's not immediately obvious to me what it does, at all. Here's the pf version:

Much easier to read. Checkitout.

B.

Thanks german - looks very nice...

*looks around for a "victim" to install OpenBSD on...*

I really like using Etherape from http://etherape.sourceforge.net/ - lovely graphical view of the network and you can get an idea of quantity and protocols. If you need to watch in very specific detail, try out iptraf at http://iptraf.seul.org/

Also, if you need it, Ethereal at http://www.ethereal.com/ which is a very powerful tool for capturing and logging packets.

I like to run Etherape if I'm not immediately at my machine as you soon know if something's gone wrong

Just need the flashing lights and red telephone