LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-28-2005, 06:37 PM   #1
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Rep: Reputation: 15
Linux as a router but for multiple public IPs


Did a search but cant really find this answered as its slightly different.

Ive run a linux router as NAT box providing net access to 1 public ip to my lan for years so have grasped the basics. However my situation has changed a bit and i want to see if its feasable to use the linux box for this.

I have a /29 subnet providing me with 8 public IP addresses (for simplicity here i'll call it 1.1.1.1 - .8)

Currently my hardware ADSL modem/router is running host mapping NAT mode which means each of my own LAN IPs routes to its own unique public IP address.

ie.

Internal - external

192.168.1.1 -- 1.1.1.1
192.168.1.2 -- 1.1.1.2
192.168.1.3 -- 1.1.1.3
192.168.1.4 -- 1.1.1.4
192.168.1.5 -- 1.1.1.5

Is there any way to emulate this with a linux setup and if so how? Ive had a read around and cant find much concrete info on whether its possible and how to do it.


In addition to this, i take it id need to bridge or somehow tell my router to send its gateway IP to that of the linux box? This would require 2 ethernet interfaces in linux ?


Im using debian (sarge) with iptables and all the usual packages installed.

If anyone can suggest to me how i can do this it will save me a lot of headaches as im having issues with the hardware router currently.
 
Old 02-28-2005, 06:48 PM   #2
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
First, with at /29 you have 6 IPs, not 8.

As for what you're wanting to do, you'll probably do away with the hardware router thingie and use iptables with SNAT/DNAT rules to NAT the packets the way you want. The esaiest way to do this would be to have 2 nics in the linux machine. One on the public internet and the other connected to a switch with the machines on your LAN on it.

Make sense?
 
Old 02-28-2005, 07:01 PM   #3
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Original Poster
Rep: Reputation: 15
OK 8 ips with subnet and broadcast. 6 usables (if you include gateway).

I'll dig through the netfilter documents and look up snat/dnat to see if i can figure it out although i still have no idea how to go about setting up the linux interfaces and gateways. 2 NICs isnt a problem , the box already has them fitted from my old single IP firewall setup.
 
Old 03-01-2005, 08:37 PM   #4
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Original Poster
Rep: Reputation: 15
Having fiddled a bit more i think i need something like:

IPTABLES -t nat -A POSTROUTING -s 192.168.1.1/32 -o eth0 -j SNAT --to-source 1.1.1.1


for each IP i want to map. Do i also need to add a destination field in there (ie 2 lines for each entry) to get the full NAT mapping?
 
Old 03-02-2005, 07:00 AM   #5
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
I belive what you want is called dnat (destination NAT) which sends packets into your network based on the destination IP. snat is source NAT and that sends the data from your network out to The Internet and masks it to look like it came from the one public IP.

Assuming you have computers on the LAN with private IPs that already can 'get to The Internet' since you said that works. You should be able to add rules to listen for incoming requests for the public IPs and send those to the appropriate internal IPs. I'm sorry that my firewall knowledge ends at theory, but it may be that you need prerouting or output rules for dnat instead of snat. You also need to make sure the linux firewall itself is getting requests to those IPs sent to it.

Another thing to consider is that if you have several computers on the LAN but only a few will have public IPs, it may be best to put the public computers into their own DMZ LAN. Now that I think about it, information about DMZs in any iptables documents you have been using for reference may provide better insight into how to do this.

Edit: I didn't mean to imply that you don't need snat at all, just that it appears you have snat working and to add the seperate IPs coming in you will be using dnat rules.

Last edited by Darin; 03-04-2005 at 04:49 AM.
 
Old 03-02-2005, 10:20 AM   #6
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Original Poster
Rep: Reputation: 15
Basically i want NAT as transparent as possible, in other words i want to avoid port forwarding etc.

Example anything on external 1.2.3.4 i want to go to the same PC on the lan after firewalling which is why im assuming i need DNAT as well. SNAT re-writes the outbound stuff but incoming connections would need to be routed so DNAT would be needed there.
 
Old 03-02-2005, 01:49 PM   #7
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Quote:
Originally posted by gnirtS
SNAT re-writes the outbound stuff but incoming connections would need to be routed so DNAT would be needed there.
Correct. You can't do one without the other.

You need set up alias interfaces on your gateway machine with the IPs that you want to NAT as, then SNAT outbound connections and DNAT inbound connections from/to the appropriate IPs.
 
Old 03-02-2005, 02:14 PM   #8
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Original Poster
Rep: Reputation: 15
OK thats what i was after, cheers.
 
Old 03-07-2005, 04:08 PM   #9
gnirtS
LQ Newbie
 
Registered: Jan 2005
Distribution: Debian (usually testing)
Posts: 22

Original Poster
Rep: Reputation: 15
EDIT - REMOVED. My own stupidity caused this

Last edited by gnirtS; 03-07-2005 at 04:14 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
linux as3 working as router with 2 public IPs rajeshdogra Linux - Networking 1 07-18-2005 08:53 AM
Router with multiple public IPs Neodymium Linux - Newbie 1 04-13-2004 07:39 PM
Public IPs behind router Buzer Linux - Networking 2 09-20-2003 02:36 PM
Linux firewall that supports USB ADSL & multiple public IPs? Smoothieu Linux - Security 1 08-21-2002 07:23 PM
Multiple NIC cards - public and private IPs harryinjapan Linux - Networking 2 12-02-2001 05:25 AM


All times are GMT -5. The time now is 11:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration