Hi,


My problem is that the users of my intranet, access a system (site) via internet that does ip control conection. I was MASQUERADING the intranet address through only one Public IP. However by the large number of intranet users accessing the system (site) through unique Public IP, the system(site) blocked our Public IP claiming much conections by the same Public IP.
I get a range of Public IPs to use in this solution. Someone knows how do I to randomly release the Public IPs, then, the IP conection output of intranet users would be different each time that the users access the system (site), using my range of Public IP address.
Via software at linux, using iptables, route rules or other method, would be possible do this ?


Someone could help me ?

Thanks

Andrei

Just brainstorming here: how many internal end-users are we talking about? One solution may be subnetting them into groups, where each group is NAT'ed behind a different Linux gateway w/ a public IP.

Thanks Answering my question !

I will have around 200 users accessing this system, i get 64 public IP to use and i would like to use only one gateway. My idea was find some method to randomly release the 64 public IP only at output conection, after MASQUERADE, but i dont know if iptables or there is other method to do this. I must have many gateways to subnetting into groups, i would like to randomly release the 64 public IP that i have if possible with just one gateway.

Thanks a lot for helping me.

Andrei

hi andrei,

i think that -SNAT could do the trick like :
the port is optional but is important.

HTH.

Hi rossonieri,

Thanks Answering my question !


I have a doubt,

iptables -t nat -A POSTROUTING -s <LAN_IP_subnet> -o <internet_intf> -j SNAT --to-source <lower_public_IP>-<higher_public_IP>

In my interface, would i have to have all Public IPs, setting in my
-o <internet_intf> , or just one ?

eth0 - 1 Public IP
eth0:0 - 2 ..
eth1:1 - 3 ..

etc..

Thanks

Andrei

hi andrei,

no - you dont need to create a sub/logical/alias-interface (eg. eth0:1 etc)for the outgoing connection (but is optional) & AFAIK it will not work on both iptables -SNAT or -MASQ.

you just need to put those ip-public-pool (lower_public_IP & higher_public_IP) for that single interface and do SNAT.

eq.
HTH.

Thankss rossonieri, i get now !! i will try

When every time that user access the system the SNAT --to-source a.b.c.d-a.b.c.g randomly release the Public IPs, the system will receive each time a different Public IP, its ok?

Thanksss rossonieri for help me !

Andrei

hi andrei,

nice question
surely it still does have a drawback.
in connection oriented session - for example like users were chatting using yahoo! messenger, and in the middle of email writing - if any previous IP that used to be use to connect to the server get idle - the router will swap the IP for other user connection & the current user get their IP change - the server will reject them (your previous session). but it will do just fine for regular internet browsing.

if you dont like this idea - then to over come this problem is 1 to 1 NAT mapping = 1 public IP for 1 client. still use the same SNAT technique - but it is a hard work

HTH.

Hi rossonieri,

I try this solution with SNAT, but my MASQUERADE conection doesnt work !


Before i had the iptables RULE with iptables ..... -j MASQUERADE and i changed to -j SNAT ......-.....

i have to have the MASQUERADE too ?


Thankss rossonieri !!


Andrei

hi andrei,

there is either you use the iptables -t nat -A POSTROUTING -j SNAT, or use the -j MASQ, can not use both. you can not use multiple public IP addresses using MASQ (it only multiply connections by ports), so the only way is using SNAT which allows you to multiply by IP addresses also.

or you can post your config here so we can help you.

HTH.

Hi rossonieri,

thanks more one time,

In my rule i have, The Forward rule and the SNAT.

But the internet doesn't work.

is there something else to do ?

Thankss

Andrei