On Wednesday 05 February 2003 01:27 pm, EricRyd@cdw.com wrote: > I have been given a task to setup One to One NAT on a Linux box. If > I'm correct I need to do this > > iptables -t nat -A PREROUTING -p tcp -d 192.168.1.1-j DNAT > --to-destination 172.100.1.1 > > First off, is this the correct syntax? If not, I can't find for sure > what I would have to do. Any suggestions? This rule will take any TCP packets entering the box with destIP of 192.168.1.1 and change that destIP to 172.100.1.1. If that is the way you want the packets changed (and not the other way around) then your syntax is correct. :^) You also have to ensure this traffic is ACCEPTed in the FORWARD chain. Also, you might (depending on the nature of the traffic) want/need to allow ESTABLISHED and RELATED state connections through FORWARD as well - you'd at least need return traffic ACCEPTed. > Second, here is another scenario I have to do. I work for Tech > Support, and we have a lab full of devices to assist us when working > with Customers. Our internal IP Scheme is 192.168.0.0/16. Some of > the devices are 192.168.1.0/24 and can't be changed. The original > plan was to setup a 1:1 NAT with the Linux box to forward to the /24 > network so we could use all of the devices, but since I have been > given the project I can't see it working. How will the Linux box know > which network to pass information on to since they are both > 192.168.x.x. Any suggestions or ideas? If the are on the same network wiring, and the 192.168.0.0/16 doesn't have any machines with IPs overlapping the 192.168.1.0/24, you should be fine. The only problem you would have is the 192.168.1.0/24 machines wouldn't realize that the others are actually local. If there's no overlap, and they don't need to talk to each other directly, you should be able to do it. If they are on separate wiring, separate interfaces in the Linux box, I think you can get it to work by making sure the /24 route appears first, before the /16 route, but I'm not certain of this, and it wouldn't really be 'proper'... Routing itself might be accomplished by marking all /16 packets in mangle prerouting then setting up separate routing for that mark, but again you couldn't handle any overlaps. In iptables rules themselves you can 'cheat' and use a mask like 255.255.1.0 to separate odd and even numbers in the third octet, but you'd need to ensure that the /24 network doesn't use any odd numbers then. Still not a good solution, and wouldn't address routing issues without getting into full-time marking, since I don't believe that iproute2 supports funky masks like this. (I might be wrong though) j > Thanks in advance, > > Eric
