Greetings, I have found what I believe to be a functionality deficit in the current NAT implementation in linux (and other OS's ?). I have found that attempting to translate multiple subnets to 1 subnet is impossible. In this example (and my current headache), I will illustrate where NAT is failing. BACKGROUND My ISP, @home, allows their customers to assign up to 3 IP addresses to their cable modem for use in home networking. The usual procedure is then to plug a hub directly into the cable modem, and have all machines then connect into that hub. With security in mind however I chose to setup a simple NAT firewall doing static 1-to-1 mappings of the external IP addresses to my LAN's internal address space. SITUATION I currently have 2 IP addresses assigned to my cable modem. (fictitious addresses are being represented to protect the innocent) IP 1 = 50.50.50.50/25 Gateway = 50.50.50.1 IP 2 = 60.60.60.60/25 Gateway = 60.60.60.1 IP 1 is going to be the address of the NAT firewall. IP 2 is going to be translated to a machine on my internal network. The NAT firewall has 2 Ethernet interfaces ETH0 (using IP 1), and ETH1 (IP 10.0.0.1/8). Inside the LAN is a Win98 PC with 1 Ethernet interface with an assigned address of 10.0.0.5. PROBLEM Because IP 2 is not local to ETH0 on my firewall I am not able to create a NAT entry (returns network unreachable). However if I artificially add the ARP entry I am able to add the NAT rule, however a new problem occurs as packets can now leave via the translated address however they get lost on their return as again ETH0 is not local to the next hop for IP 2. Also adding IP 2 as a local IP alias to ETH0 prevents me from adding any NAT rules as RTNETLINK says it already exists. More interestingly I have gotten my intended setup to work by accident for about 5 minutes. I cheated by first setting IP 2 on ETH0 as an alias and generating traffic causing an ARP to be cached. Then I removed IP 2 from ETH0 and proceeded to add the NAT entry to translate the machine on my LAN. However after a little while the arp entry expired and I was back to square 1. It seems to me if I were able to assign an "special" default route for translated addresses on different subnets (with different gateways) this would correct the behavior. However my skills in programming do not extend to this level and hence my email :) I look forward to hearing from all of you. Cheers -- Lamp Post Networks (http://www.lamp-post.net) Web Hosting / Co-Location / Security Consulting - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu
