-----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Opperisano Sent: Wednesday, January 05, 2005 11:11 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Setting up 1:1 NAT for DMZ (Repost w/o HTML) On Wed, Jan 05, 2005 at 10:28:12AM -0800, Spidal, Glen wrote: > Hello all, > > I would like some advice on setting up 1:1 incoming and outgoing NAT > for a block of 13 public IP addresses. I looked at the Patch-O-Matic > NETMAP command, but it appears it is for an entire subnet. Currently > the addresses are the same for web and email traffic but that may > change in the future. > > I looked at a sample script and have NATing working for my LAN but not > my DMZ. Two of the public IPs would be for DNS servers. I added > eth0:1 but am unsure how to process that public IP from there on. >>ideally--the addresses are contiguous and the last octet of the public NAT address matches the last octet of the private DMZ address; and you can script it like so: >> >> for i in `seq 11 23`; do >> ip addr add 1.2.3.${i} dev $EXT_IF >> >> iptables -t nat -A PREROUTING -i $EXT_IF -d 1.2.3.${i} \ >> -j DNAT --to-destination 10.1.1.${i} >> >> iptables -t nat -A POSTROUTING -o $EXT_IF -s 10.1.1.${i} \ >> -j SNAT --to-source 1.2.3.${i} >> done >> >>if the addresses are non-contiguous--you would just need to modify the construct of the >>for loop, but if the last octet doesn't match (or isn't somehow logically related)--the >>above loses its value. >> >>-j >> >>-- >>"I'll be deep in the cold, cold ground before I recognize Missoura!" >> --The Simpsons >> >> Jason, >> Thanks so much. I'm new to bash scripting. In the statement below, >>for i in `seq 11 23`; >>which digits are the starting point and which ones are the number of loops? >>Also, how do I set the subnet on the public Ips added using the ip add command >>in the script? Mine happens to be 255.255.255.192. -Glen
