On Tuesday 23 November 2004 02:22, you wrote: > On Mon, 22 Nov 2004, Peter Volkov Alexandrovich wrote: > I don't see how this question is different in iptables vs route NAT. In > both you need to tell who is where, and who should be NAT:ed how. In both > you need to tell the surrounding network where to route traffic somehow, > especially on the Internet side. Well. If you speak about principal differences of course I know nothing about them. Simple idea behind is the same. But summarising my knowledge about route nat I can tell you, that 1. It is faster. 2. Knowledge about only one utility (ip) and use of two commands (ip route and ip rule) IMHO is much simpler and understandable then adding new interfaces (e.g. with ip or ifconfig) and using NAT (e.g. iptables). But this is IMHO, and you may think otherwise. > > I can bind second address on my router (e.g. ip add add > > xxx.xxx.xxx.98/28 brd + dev eth0). Then the packets sent to real IP > > address xxx.xxx.xxx.98/28 to be DNAT'ed on user's LAN IP and when user > > send packets to internet they are SNAT'ed to his real IP > > (xxx.xxx.xxx.98/28). > > If you prefer you can nat in both directions. Does not really give your > users real IP addresses however. Well. As I could find out, most of users need this real ip only for sending SMS (there exist maximum messages per day from one IP address) and playing games. So in this sense they have real IP. I know from this list that it is impossible to use ftp and irq and maybe some other protocols with nat. BTW, does there exist FTP servers which allows to set different IP inside protocol same as proxy_interfaces option in Postfix's configuration? > > Why term virtual address? Well. With ifconfig I have to add "virtual > > interface". I could not to add second address. So I called this kind of > > binding of new address --- virtual address. May be wrong term. I don't > > know. > > iptables does NOT require you to label the new IP address in the setup > described above, in fact it could not care less if this is done or not > (even if you do iptables still sees only the real device name). All > iptables cares about is that the surrounding network needs to know to send > the traffic to your router for the IP addresses it needs to route. If the > surrounding network does not know to send the traffic to your router > obviously nothing will happen. iptables is completely agnostic to how this > is done (routing at the ISP, proxy-arp, secondary IP addresses, labelled > secondary ip addresses eth0:X, etc...) Of course you are right. I've just tried to explain why I called this kind of pushing packets into router virtual address. As I said. I think this may be a wrong term. -- ______________________________________ Volkov Peter, <pvolkov@xxxxxxxxxxx> Moscow State University, Phys. Dep. ______________________________________ NO ePATENTS, eSIGN now on: http://petition.eurolinux.org and maybe this helps... Linux 2.4.26-gentoo-r9 i686 Mobile Intel(R) Celeron(R) CPU 1.60GHz - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
