RE: NAT

[sean.kelly () lanston com]

> My knowledge of NAT is not deep enough, therefore I'm asking for your
> help. Our ISP denied to provide us with private routable subnet,
> giving us only the plain range of IP addresses. It sucks 
> since we need to
> plug our DSL modem to the hub and live the whole network without any
> protection <big grin>.

You don't need your ISP to provide you with a private subnet.  The problem
you face is one that pretty much everyone in the industry does.  The only
machine you want to assign a "plain" IP is one you want to be visible to the
world -- a web server, etc.  There are sets of IP ranges designated for
private use.  The most commonly used range is the 192.168.x.x C class.  Come
up with a scheme for your machines using this IP range and get a
firewall/proxy server.  For small networks, products like SyGate on a spare
PC are often sufficient.

> One of the solutions was to put a hardware firewall in between the
> network and DSL modem, but for some reasons we can't do that. The
> solution that I was thinking of is to set up all the IPs given to us
> as aliases on external interface on our router (Linux or *BSD box) and
> set up NAT in following matter:
>
> (all the workstations in local network are getting local no-routable
> addresses)

ie. the 192.168.x.x ones

> For each outgoing packet source address (local) is replaced by one of
> the aliases mapped to this address. For each incoming packet each
> destination address (external alias) is mapped to local address. So it
> looks like fancy masquerading, even though instead of ports we are
> playing with aliases on external interface of the router.

This is indeed NAT.

> I was hitting my head against the wall trying to come up with NAT
> rules for such scheme, but i failed. I need your help guys.

What rules do you mean?  Any of the products out there that do NAT should be
able to be set up without too much trouble.  It doesn't sound like you're
doing anything unusual.


Sean