LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Linux as a router but for multiple public IPs (https://www.linuxquestions.org/questions/linux-networking-3/linux-as-a-router-but-for-multiple-public-ips-296012/)

gnirtS 02-28-2005 05:37 PM
Linux as a router but for multiple public IPs
 
Did a search but cant really find this answered as its slightly different.

Ive run a linux router as NAT box providing net access to 1 public ip to my lan for years so have grasped the basics. However my situation has changed a bit and i want to see if its feasable to use the linux box for this.

I have a /29 subnet providing me with 8 public IP addresses (for simplicity here i'll call it 1.1.1.1 - .8)

Currently my hardware ADSL modem/router is running host mapping NAT mode which means each of my own LAN IPs routes to its own unique public IP address.

ie.

Internal - external

192.168.1.1 -- 1.1.1.1
192.168.1.2 -- 1.1.1.2
192.168.1.3 -- 1.1.1.3
192.168.1.4 -- 1.1.1.4
192.168.1.5 -- 1.1.1.5

Is there any way to emulate this with a linux setup and if so how? Ive had a read around and cant find much concrete info on whether its possible and how to do it.


In addition to this, i take it id need to bridge or somehow tell my router to send its gateway IP to that of the linux box? This would require 2 ethernet interfaces in linux ?


Im using debian (sarge) with iptables and all the usual packages installed.

If anyone can suggest to me how i can do this it will save me a lot of headaches as im having issues with the hardware router currently.

sigsegv 02-28-2005 05:48 PM
First, with at /29 you have 6 IPs, not 8.

As for what you're wanting to do, you'll probably do away with the hardware router thingie and use iptables with SNAT/DNAT rules to NAT the packets the way you want. The esaiest way to do this would be to have 2 nics in the linux machine. One on the public internet and the other connected to a switch with the machines on your LAN on it.

Make sense?

gnirtS 02-28-2005 06:01 PM
OK 8 ips with subnet and broadcast. 6 usables (if you include gateway).

I'll dig through the netfilter documents and look up snat/dnat to see if i can figure it out although i still have no idea how to go about setting up the linux interfaces and gateways. 2 NICs isnt a problem , the box already has them fitted from my old single IP firewall setup.

gnirtS 03-01-2005 07:37 PM
Having fiddled a bit more i think i need something like:

IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/32 -o eth0 -j SNAT --to-source 1.1.1.1


for each IP i want to map. Do i also need to add a destination field in there (ie 2 lines for each entry) to get the full NAT mapping?

Darin 03-02-2005 06:00 AM
I belive what you want is called dnat (destination NAT) which sends packets into your network based on the destination IP. snat is source NAT and that sends the data from your network out to The Internet and masks it to look like it came from the one public IP.

Assuming you have computers on the LAN with private IPs that already can 'get to The Internet' since you said that works. You should be able to add rules to listen for incoming requests for the public IPs and send those to the appropriate internal IPs. I'm sorry that my firewall knowledge ends at theory, but it may be that you need prerouting or output rules for dnat instead of snat. You also need to make sure the linux firewall itself is getting requests to those IPs sent to it.

Another thing to consider is that if you have several computers on the LAN but only a few will have public IPs, it may be best to put the public computers into their own DMZ LAN. Now that I think about it, information about DMZs in any iptables documents you have been using for reference may provide better insight into how to do this.

Edit: I didn't mean to imply that you don't need snat at all, just that it appears you have snat working and to add the seperate IPs coming in you will be using dnat rules.

gnirtS 03-02-2005 09:20 AM
Basically i want NAT as transparent as possible, in other words i want to avoid port forwarding etc.

Example anything on external 1.2.3.4 i want to go to the same PC on the lan after firewalling which is why im assuming i need DNAT as well. SNAT re-writes the outbound stuff but incoming connections would need to be routed so DNAT would be needed there.

sigsegv 03-02-2005 12:49 PM
Quote:
Originally posted by gnirtS
SNAT re-writes the outbound stuff but incoming connections would need to be routed so DNAT would be needed there.
Correct. You can't do one without the other.

You need set up alias interfaces on your gateway machine with the IPs that you want to NAT as, then SNAT outbound connections and DNAT inbound connections from/to the appropriate IPs.

gnirtS 03-02-2005 01:14 PM
OK thats what i was after, cheers.

gnirtS 03-07-2005 03:08 PM
EDIT - REMOVED. My own stupidity caused this


All times are GMT -5. The time now is 03:51 AM.