Re: Route Nat dead. Does anybody going to support it?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 22 Nov 2004, Peter Volkov Alexandrovich wrote:

<internet>-----------------eth0<router>eth1-------------<LAN>
         xxx.xxx.xxx.96/28                172.16.0.0/16

Now. Some of them need real IP and they also want to be in the same subnet as
others. What can I do?

To truly give then real IPs houst-route them on the router and proxy-arp on the Internet side to make the Internet know it needs to route the IPs of ther users with real IPs via the router.

I don't see how this question is different in iptables vs route NAT. In both you need to tell who is where, and who should be NAT:ed how. In both you need to tell the surrounding network where to route traffic somehow, especially on the Internet side.

I can bind second address on my router (e.g. ip add add xxx.xxx.xxx.98/28 brd + dev eth0). Then the packets sent to real IP address xxx.xxx.xxx.98/28 to be DNAT'ed on user's LAN IP and when user send packets to internet they are SNAT'ed to his real IP (xxx.xxx.xxx.98/28).

If you prefer you can nat in both directions. Does not really give your users real IP addresses however.

Why term virtual address? Well. With ifconfig I have to add "virtual
interface". I could not to add second address. So I called this kind of
binding of new address --- virtual address. May be wrong term. I don't know.

iptables does NOT require you to label the new IP address in the setup described above, in fact it could not care less if this is done or not (even if you do iptables still sees only the real device name). All iptables cares about is that the surrounding network needs to know to send the traffic to your router for the IP addresses it needs to route. If the surrounding network does not know to send the traffic to your router obviously nothing will happen. iptables is completely agnostic to how this is done (routing at the ISP, proxy-arp, secondary IP addresses, labelled secondary ip addresses eth0:X, etc...)

Regards
Henrik
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux