Re: NAT with multiple addresses.

[Wes Chalfant <wes () peabody com>]

        The home page for netfilter appears to be http://netfilter.samba.org
(not www.netfilter.org).

        Note that it is also possible to do static NAT with the 2.2.x linux
kernels; for this to work, the the CONFIG_IP_ADVANCED_ROUTER and
CONFIG_IP_MULTIPLE_TABLES kernel options must be selected.  Setting up
static NAT is done with the "ip" tool that is part of the iproute
package; this package is included with many distributions (e.g. RedHat
6.1 and later).  Note that the iproute package is sometimes also
called iproute2.  

        Introductory documentation/HOWTOs for ip are somewhat lacking.  If
you install the RedHat package, you'll find the basic documentation in
/usr/share/doc/iproute-<rel>/ip-cref.ps.  The best introductory
documentation for ip is the "Linux 2.4 Advanced Routing HOWTO"
(http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html); although
written (obviously) for 2.4, it describes the programs in the iproute
package fairly well and, so far as I can tell, what is written here
also applies to 2.2 kernels and iproute.  

        Static NAT defines a one-to-one mapping of external IP addresses and
internal IP addresses.  The advanced routing HOWTO document doesn't
really document using the ip command to set up static NAT -- if you've
got 2.4, it's easier to do this with netfilter (iptables command).  To
do this with Linux 2.2, the commands to static map <int-ip> to
<ext-ip> would be:
       ip route add nat <ext-ip> via <int-ip>
       ip rule add prio 320 from <int-ip> nat <ext-ip>

Dhiran Rajbhandari wrote:
> Use iptables (kernel must be 2.4.x or above )to use all public addresses
> for private addresses../ you have to SNAT (source nat) in nat table
> individually to internal addresses so that those internal addresses will
> be converted to the defined public addresses../Please check the following
> example..
>
> iptables -A POSTROUTING -s 192.168.x.x -o eth1 -j SNAT --to-source 1.2.3.4
>
> for more information visit www.netfilter.org
>
> Rgds,
> Dhiren
>
> On Sat, 15 Sep 2001, Marcelo Coronel wrote:
>
> > I am trying to install a firewall in an extremely
> > weird network connection to the Internet, and I was
> > wondering if there was someone willing to help me out.
> >
> >
> >
> > Proxy Server ------------ Router --- Internet
> > Workstations |
> >
> >
> > As it seems, some time ago, people just came and
> > plugged the router to the hubs in order to avoid
> > performing configuration tasks in a Linux box. All the
> > workstations and the proxy server (which is serving
> > only as an HTTP proxy server) are coming out on public
> > addresses.
> >
> > I am planning to things this way:
> >
> > Workstations---- Proxy Server --- Router
> >
> > which semms a sound way to do it, as the router
> > belongs to a third party and I don't have access to
> > it. The problem is we're talking about a Cyberbar, and
> > as we all know, usual activity on cyberbars are IRC
> > chatting, web surfing and FTP downloading (I say
> > downloading because people browsing an FTP is not
> > something you see a lot of here, and when they
> > download they just follow a hyperlink on a webpage,
> > which you can do in active mode even blocking syns at
> > the gateway). For all I know, changing all public
> > addresses to private is a good thing, but having
> > twenty five connections from the same IP is something
> > an IRC server administrator will not want.
> >
> > Coming down to the real question... Is there a way to
> > do NAT or Masquerading at the Linux box that will let
> > me use all the public IP addresses I have available.
> >
> > Thanks a lot for your help,
> >
> > Marcelo.

-- 
Wes Chalfant              Peabody Systems             wes () peabody com
                          (714) 639-8643              FAX (714)
639-2817
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards