Strict Routing

elfoozo · 12-11-2007, 12:24 AM

Is this possible within one box with one NIC?

Code:

                                                                      _
                                            +-----------+            /
                                        +---| ext-ip5   |-----------|
                                        |   +-----------+          /
        __                              |                         |
    ___/  \_         +----------------+ |   +-----------+        /
   /        \_       |            ip5 +-+   | ext-ip4   |-------|
  /           \      |  +----+        |    /+-----------+      /
 |             \     |  |eth0|    ip4 +---+                    |
/               |    |  |    |        |     +-----------+      |
| Local network -----+  +----+    ip3 +-----| ext-ip3   |------|Internet
\               |    |                |     +-----------+      |
 \_            /     |            ip2 +---+                    |
   \         _/      |                |    \+-----------+      \
    \_     _/        |            ip1 +-+   | ext-ip2   |-------|
      \___/          +----------------+ |   +-----------+        \
                                        |                         |
                                        |   +-----------+          \
                                        +---| ext-ip1   |-----------|
                                            +-----------+            \_

Assuming ext-ip 1-5 are Internet facing IP's that are NAT'ed to an internal virtual local IP and the Linux host only has 1 physical NIC, Is it possible for each virtual IP to only respond & route traffic to & from its specific IP?

Like mini gateways or pvc's or single IP vlan's something?

The goal is that any of the 5 local IP's respond to Internet requests as if they were unique individual hosts and the reply would only come from the IP it came "in" through, not step back out through a "default gateway".

I read through the advanced routing guide and I didn't see where gateways could be established if the internal ip's were all on the same subnet, a.k.a. internal ip1 was 192.168.1.1, internal ip2 was 192.168.1.2, etc., etc.

dkm999 · 12-12-2007, 08:06 PM

If you want to do this in a perfectly general way, I think you will have to preserve the 5-IP scheme on the local side of your firewall. This should be possible by overlaying several private subnets on the same cable and interface. (You could even crank the netmask down to 255.255.255.252, and only use up 4 addresses per subnet, if you are really into this stuff.)

But if you want to use NAT just to direct specific ports to specific servers, then the return traffic for that port will be automagically sent back out on the original incoming IP address when the NAT code gets the reply packet from your server.