|
Hi,
At work (where there's no one else to do this job,
so it's up to me even though I'm no network expert) we have installed an
internet service. We have been given 5 public IP addresses whose traffic come
from one single RJ45 jack (which is on a device which connects to a small dish).
The provider expects traffic to come from
172.19.78.6 to 172.19.78.1. Those addresses
of course can't connect to internet, but the public IPs (obviously)
can.
Since I want the LAN computers not to use
public IPs at all (and keep them for the server use, I have it up like
this).
Provider <-------> Linux
<-------> LAN
The Linux box has two NICs, one is connected to the
Provider and the other one to the LAN.
The NIC connected to the provider has the IP
172.19.78.1, as expected. However, since the box is also our webserver and need
to own public the addresses, I'm cheating by doing this:
iptables -t nat -A POSTROUTING -o $NEO_IFACE
-j SNAT --to-source $PUBLIC_IP
iptables -t nat -A PREROUTING -i $NEO_IFACE -d $PUBLIC_IP -j DNAT --to-destination $PRIVATE_IP which makes sure that all traffic to the
external interface uses a public IP instead of the provider private one, and
converts traffic coming from the internet to the IP address I have in the
card.
This seems to work fine (well, FTP get
confused and sends the private address for PORT, but I guess that's easily
fixable). I get lots of "martian source" messages in the logs, plus honestly,
I'm not sure this is the right way to set this up.
Any advice?
|
