i have a network of 10 computers (6 employ, 4 manager) and an ubuntu router/server. i have 12 public IP's e.e.e.18-30 and internal 192.168.1.1 server and 192.168.1.50-54 office and 192.168.1.101-106 employ.
now everything from localnetwork is transleted out through 1 ip e.e.e.18, what i need is to have those 6 use different external ip's and the 4 use 1 eg:
192.168.1.101 -> e.e.e.21
192.168.1.102 -> e.e.e.22
...
192.168.1.106 -> e.e.e.26
and
192.168.1.50 -> e.e.e.18
192.168.1.51 -> e.e.e.18
192.168.1.52 -> e.e.e.18
192.168.1.53 -> e.e.e.18
enyother -> e.e.e.18
my /etc/network/interfaces
Code:
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 213.195.205.18
netmask 255.255.255.240
network 213.195.205.16
broadcast 213.195.205.31
gateway 213.195.205.17
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 81.30.224.2 81.30.225.2
auto eth0:1
iface eth0:1 inet static
address 213.195.205.19
netmask 255.255.255.240
network 213.195.205.16
broadcast 213.195.205.31
gateway 213.195.205.17
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 81.30.224.2 81.30.225.2
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
auto eth1
my iptables-save output:
Code:
# Generated by iptables-save v1.3.3 on Fri Mar 23 11:43:23 2007
*nat
:PREROUTING ACCEPT [69535:4504828]
:POSTROUTING ACCEPT [667:97712]
:OUTPUT ACCEPT [19143:1039075]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Mar 23 11:43:23 2007
# Generated by iptables-save v1.3.3 on Fri Mar 23 11:43:23 2007
*mangle
:PREROUTING ACCEPT [12272148:5347844980]
:INPUT ACCEPT [1550024:1659586076]
:FORWARD ACCEPT [123374634:72946041792]
:OUTPUT ACCEPT [996693:348349677]
:POSTROUTING ACCEPT [11718500:4036538395]
COMMIT
# Completed on Fri Mar 23 11:43:23 2007
# Generated by iptables-save v1.3.3 on Fri Mar 23 11:43:23 2007
*filter
:INBOUND - [0:0]
:INPUT DROP [140:48800]
:FORWARD DROP [100:42527]
:LOG_FILTER - [0:0]
:LSI - [0:0]
:LSO - [0:0]
:OUTBOUND - [0:0]
:OUTPUT DROP [0:0]
:fail2ban-SSH - [0:0]
-A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 22 -j ACCEPT
-A INBOUND -p udp -m udp --dport 22 -j ACCEPT
-A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 137:139 -j ACCEPT
-A INBOUND -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A INBOUND -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 3128 -j ACCEPT
-A INBOUND -p tcp -m tcp --dport 16881 -j ACCEPT
-A INBOUND -p udp -m udp --dport 16881 -j ACCEPT
-A INBOUND -j LSI
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -s 81.30.224.2 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 81.30.224.2 -p udp -j ACCEPT
-A INPUT -s 81.30.225.2 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 81.30.225.2 -p udp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d e.e.e.31 -j DROP
-A INPUT -s 224.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 224.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 255.255.255.255 -j DROP
-A INPUT -d 0.0.0.0 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -f -m limit --limit 10/min -j LSI
-A INPUT -i eth0 -j INBOUND
-A INPUT -d 192.168.1.1 -i eth1 -j INBOUND
-A INPUT -d e.e.e.18 -i eth1 -j INBOUND
-A INPUT -d 192.168.1.255 -i eth1 -j INBOUND
-A INPUT -j LOG_FILTER
-A INPUT -j LOG --log-prefix "Unknown Input" --log-level 6
-A FORWARD -p icmp -m limit --limit 10/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -j OUTBOUND
-A FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG_FILTER
-A FORWARD -j LOG --log-prefix "Unknown Forward" --log-level 6
-A LSI -j LOG_FILTER
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A LSI -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -p icmp -m icmp --icmp-type 8 -j DROP
-A LSI -m limit --limit 5/sec -j LOG --log-prefix "Inbound " --log-level 6
-A LSI -j DROP
-A LSO -j LOG_FILTER
-A LSO -m limit --limit 5/sec -j LOG --log-prefix "Outbound " --log-level 6
-A LSO -j REJECT --reject-with icmp-port-unreachable
-A OUTBOUND -p icmp -j ACCEPT
-A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTBOUND -j ACCEPT
-A OUTPUT -s e.e.e.18 -d 81.30.224.2 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s e.e.e.18 -d 81.30.224.2 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -s e.e.e.18 -d 81.30.225.2 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -s e.e.e.18 -d 81.30.225.2 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 224.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -d 224.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -s 255.255.255.255 -j DROP
-A OUTPUT -d 0.0.0.0 -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j OUTBOUND
-A OUTPUT -o eth1 -j OUTBOUND
-A OUTPUT -j LOG_FILTER
-A OUTPUT -j LOG --log-prefix "Unknown Output" --log-level 6
-A fail2ban-SSH -j RETURN
COMMIT
multiple external ip routing
