[freshrpms.net]

Some quick tips n' tricks

Dedicated, fixed network address translation for a single host
Password-less ssh access

Dedicated, fixed network address translation for a single host

It's in fact quite easy. Say we have a gateway server with :

eth0 (LAN) : 192.168.1.254
eth1 (WAN) : 10.0.0.1
             10.0.0.2 (alias)

We will pretend the 10.0.0.0 network is routable. From the LAN, we want to "masquerade" the 192.168.1.1 client to always appear as 10.0.0.2 when going out through the gateway, so :

iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.2 -j DNAT --to-destination 192.168.1.1

This will apply destination network address translation, and will take care of mangling all further packets. It is only necessary if you want the LAN host reachable from the outside on the aliased address (probably a bad idea security-wise).

iptables -t nat -A POSTROUTING -i eth0 -s 192.168.1.1 -j SNAT --to-source 10.0.0.2

This will apply source network address translation (changes the source of the packet from the LAN address to the WAN one). This is similar to what the MASQUERADE does, but better suited for fixed connections as you can read in the man page "if you have a static IP address, you should use the SNAT target".

iptables -A FORWARD -i eth1 -o eth0 -d 192.168.1.1 -j ACCEPT

This will allow the mangled packets from the PREROUTING rule to reach the LAN host if your default FORWARD policy is not ACCEPT. You can of course place firewall or logging rules to your liking. Read the iptables(8) man page for all details.

Useful commands :

iptables -L -v
iptables -t nat -L -v
service iptables save

Password-less ssh access

On the client, as the user who will be starting the ssh connections :

ssh-keygen -d

Just press enter when prompted for the passphrase. You'll then get both the private (~/.ssh/id_dsa) and the public (~/.ssh/id_dsa.pub) keys.
On the server, append the content of the client's public key file to the ~/.ssh/authorized_keys file (with some older openssh versions, this may be ~/.ssh/authorized_keys2). Make sure there are no permissions set for group or other on the ~/.ssh/ directories (mode 700) and the files they contain (mode 600).