Thanks for the response. I finally figured out how to do this on Solaris : $ echo 'map hme0 192.168.2.0/24 -> 0/32' | ipnat -f - does the job for primary interface hme0 , configured by DHCP, with static logical interface hme0:1 configured as 192.168.2.1 and dhcpsvc.conf containing "INTERFACES=hme0:1' and dhcptab set up to serve the 192.168.2/24 network, setting the default-router option to 192.168.2.1 , and with "ifconfig hme0 dhcp ifconfig hme0 addif 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 up arp ifconfig hme0 router ifconfig hme0:1 router svcadm enable svc:/network/dhcp-server svcadm enable svc:network/ipfilter ' somewhere in startup scripts . The Solaris box is my only non-laptop box so problem solved (for me) - but I'd still like to know: Please, could anyone answer : o is there / what is the equivalent netfilter rule for Linux ? o why do the firestarter rules require two physical ethernet interfaces in order to enable "internet connection sharing" ? o Is it possible to do internet connection sharing with NAT on Linux with only one physical etjhernet interface ? All the documentation I can find assumes two interfaces. I want to know how to be able to create a similar configuration on Linux, ie: - single primary physical ethernet interface (eth0) configured with DHCP - a "private" ip also configured on eth0: $ ip addr add dev eth0 192.168.2.1/24 ... - DHCP set up to serve 192.168.2/24 net ( I can do this OK !) - create NAT rules to replace source address of packets with dest addr not on subnet 192.168.2/24 with DHCP address of eth0, maintainence of state for such packets, and mapping the destination address of packets received from non-192.168.2/24 network to the 192.168.2/24 address of the originating host for the 'ESTABLISHED' packet session. Is this possible with a single ethernet interface on Linux or not? Thanks & Regards, Jason On Sunday May 17 2009 04:14:02 Brian Austin - Standard Universal wrote: > Hi, > > this seems very simple, google for source nat, destination nat and > masquerade > > http://www.howtoforge.com/internet-connection-sharing- masquerading-on-linux > > portforwarding is also rather simple. > > regards > > Brian > > Jason Vas Dias wrote: > > Hi - > > > > This is my first post to this list, so please excuse me if I miss > > something or if this is an inappropriate posting for this list. > > > > Question : > > > > I am trying to replace an ancient MacOSX box, whose natd(8) does a > > really great job of > > "Connection Sharing" - becoming a router for the "External Internet" > > to my local LAN > > subnet whose addresses it has provided with DHCP ( 192.168.2.2 - 4 ) . > > > > So natd(8) maps the IP source address in packets originating from the > > local 192.168.2.{2,3.4} subnet > > that appear from the en0 interface, to the external internet address > > given to the single interface en0 by > > my DSL modem , and sends such packets out on en0 with the destination > > address and port mapped back > > to natd's address and port on the external internet . natd(8) > > maintains a table of all such packets sent > > out to the external internet, such that when a response for such a > > packet it received, the destination > > IP address is mapped back to the original packet originator, and is > > then sent back out on en0 to the > > local DMZ subnet host that originated it, as in this diagram : > > > > MacOS Host: > > single IP interface en0: > > ipv4 address 192.168.2.1 > > ipv4 address 66.68.31.192 (assigned from DSL router) > > natd: > > listens on 66.68.31.192:natd > > bootpd: > > listens on 192.168.2.1:bootps > > > > DMZ hosts: 192.168.2.2, 192.168.2.3, 192.168.2.4 > > > > All these hosts are connected to the same hub, whose uplink cable is > > connected to the DSL Router. > > > > natd(8) reads a raw socket to receive every packet that is received > > on interface en0. > > When a packet is received from a 192.168.2.x source address with a > > destination address > > that is not in subnet 192.168.2/24 , it replaces the 192.168.2/24 > > address with 66.68.31.192, > > and the destination address and port with 66.68.31.192:natd , and > > sends the packet back out on en0; > > the DSL router sends such packets on to the external internet, and > > the external internet host sends > > responses back to 66.68.31.192:natd; natd can then use the packet > > identifiers it generated > > for the request packets to the response packet (it could even use a > > separate port to receive > > response packets for each separate DMZ host, so the mapping > > becomes trivial). > > > > My question is : how can this be achieved with Linux netfilter or > > Solaris IP Filter / ipnat(4) ? > > I have either a Solaris host or Linux host I can use for this job. The > > old MacOSX ppc32 host is > > too slow, and does not support more than two other hosts on the DMZ . > > > > What I don't understand from the netfilter / ipfilter documentation is > > precisely how a response > > from the external internet , whit a destination IP + port on the > > gateway , is translated into a response > > for a DMZ host in the same way as netd does. > > > > I have looked at the open-source firestarter project, which can > > construct NAT rules to do this for a gateway > > host with two physical interfaces, but all my hosts have only one > > physical ethernet interface. > > > > Could anyone please explain how response packets can be routed back to > > the DMZ host with Linux netfilter or Solaris ipfilter rules ? > > > > Thanks in advance, > > Jason. > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo- info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html