Output conection Public IP - Iptables, Route Rules
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Output conection Public IP - Iptables, Route Rules
Hi,
My problem is that the users of my intranet, access a system (site) via internet that does ip control conection. I was MASQUERADING the intranet address through only one Public IP. However by the large number of intranet users accessing the system (site) through unique Public IP, the system(site) blocked our Public IP claiming much conections by the same Public IP.
I get a range of Public IPs to use in this solution. Someone knows how do I to randomly release the Public IPs, then, the IP conection output of intranet users would be different each time that the users access the system (site), using my range of Public IP address.
Via software at linux, using iptables, route rules or other method, would be possible do this ?
Just brainstorming here: how many internal end-users are we talking about? One solution may be subnetting them into groups, where each group is NAT'ed behind a different Linux gateway w/ a public IP.
I will have around 200 users accessing this system, i get 64 public IP to use and i would like to use only one gateway. My idea was find some method to randomly release the 64 public IP only at output conection, after MASQUERADE, but i dont know if iptables or there is other method to do this. I must have many gateways to subnetting into groups, i would like to randomly release the 64 public IP that i have if possible with just one gateway.
I was MASQUERADING the intranet address through only one Public IP. However by the large number of intranet users accessing the system (site) through unique Public IP, the system(site) blocked our Public IP claiming much conections by the same Public IP.
In my interface, would i have to have all Public IPs, setting in my
-o <internet_intf> , or just one ?
eth0 - 1 Public IP
eth0:0 - 2 ..
eth1:1 - 3 ..
no - you dont need to create a sub/logical/alias-interface (eg. eth0:1 etc)for the outgoing connection (but is optional) & AFAIK it will not work on both iptables -SNAT or -MASQ.
you just need to put those ip-public-pool (lower_public_IP & higher_public_IP) for that single interface and do SNAT.
When every time that user access the system the SNAT --to-source a.b.c.d-a.b.c.g randomly release the Public IPs, the system will receive each time a different Public IP, its ok?
When every time that user access the system the SNAT --to-source a.b.c.d-a.b.c.g randomly release the Public IPs, the system will receive each time a different Public IP, its ok?
nice question
surely it still does have a drawback.
in connection oriented session - for example like users were chatting using yahoo! messenger, and in the middle of email writing - if any previous IP that used to be use to connect to the server get idle - the router will swap the IP for other user connection & the current user get their IP change - the server will reject them (your previous session). but it will do just fine for regular internet browsing.
if you dont like this idea - then to over come this problem is 1 to 1 NAT mapping = 1 public IP for 1 client. still use the same SNAT technique - but it is a hard work
I try this solution with SNAT, but my MASQUERADE conection doesnt work !
there is either you use the iptables -t nat -A POSTROUTING -j SNAT, or use the -j MASQ, can not use both. you can not use multiple public IP addresses using MASQ (it only multiply connections by ports), so the only way is using SNAT which allows you to multiply by IP addresses also.
or you can post your config here so we can help you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.