On 7/3/07, Grant Taylor <gtaylor@xxxxxxxxxxxxxxxxx> wrote:
On 7/3/2007 1:52 AM, Martin Schiøtz wrote: > I'm going to setup a bridged NAT linux box for many users. I want one > outside IP address to serve for instance 10.0.0.0/22. Why do this with bridging? If you have a 10.0.0.0/22 network like you say, it is private and thus not globally routable. So, to reach the internet you will have to NAT to a globally routable IP. Thus you have a private subnet and a public subnet which is an ideal environment for a layer 3 router. Even if you are not going to a public IP but rather another private IP, the same scenario holds true. Or are you for some wanting wanting to perform a layer 3 function on layer 2? If so, can I ask why?
Ok, I think your right here.
> I want to be sure that each local IP address always has 1024 NAT > sessions available and that sessions is kept even if the timeout is > reached. If 1024 sessions is reached and a new session is being > established then it will take over the oldest (timed out) session. I'm not sure that you will be able to specify how many NAT sessions each system will have and / or how to control the expiration there of. I do know that you will have (or did have to in previous kernels) to have a fair amount of RAM for the connection tracking table to not wrap on a network of that size. > Is this possible with iptables? The first part of what you want to do (layer 2 or layer 3) NATing, yes. As far as controlling how many sessions are reserved / maintained even beyond timeouts, I don't know. I'm betting not, especially to the latter.
I guess the question was more about controlling the number of NAT sessions pr. lokal IP address? - Marftin
