Thanks! I will suck it and see - can't hurt at the end of the day. I'm hoping to map 48/9/50 to 192.168.0.1/2/3 on the inside, then leave the rest of the workstations to talk via .51. As far as I'm aware, my little class-C is pretty normal in networking terms, .53 is my broadcast address, .46 is the network - etc etc. It's not a standard 1 node DHCP-based ADSL connection. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Antony Stone Sent: 21 November 2003 11.43 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: quick question re: natting On Friday 21 November 2003 10:58 am, Knight, Steve wrote: > Hi there > > I've got ADSL ppp0 facing the net, at x.x.x.47 [as part of a x.x.x.46/29 > subnet], and I want to do static NAT for hosts 48,49 and 50. > > I have a quick question, and my Ziegler book is at home at the moment. > Back in the days when I worked with Checkpoint, I would have had to have > ARPed 48, 49 and 50 onto the external interface via the operating system, > for the one-to-one static NAT to work. Do I need to ARP the IP addresses > onto ppp0 under Linux / iptables also? Maybe :) Sorry to be uncertain, but it depends how your ADSL link works. If this were a 'normal' routed leased-line type link, then I would say "Yes, you need to ARP for the extra addresses (a simple way is to use ip addr to assign those addresses to you external interface, although I'm not sure if you can do this with ppp interfaces?)". However, since this is an ADSL setup (and certainly on UK BT ADSL connections I've seen some very odd routing arrangements), it may be that all addresses in your range are being routed through to your end of the ppp link, and you don't need to ARP for them (ARP is not needed on a point to point link, only on broadcast-type network structures). I would recommend just trying it without ARP and see if you get packets - either set up a netfilter rule matching one of the the addresses and see if "iptables -L -n -v -x" shows any bytes or packets being counted for it, or else use a packet sniffer / protocol analyser such as tcpdump or ethereal to see if such packets arrive at your machine. If they do, no need for ARP. Hope this helps, Antony. -- The difference between theory and practice is that in theory there is no difference, whereas in practice there is. Please reply to the list; please don't CC me. . ----------------------------------------------------------------------- Information in this email may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. -----------------------------------------------------------------------