It appears, from further reading, that SNAT will do what I need (I was thinking MASQUERADE as these are all outbound connections where the machines connect to a remote host, pull a bunch of data, and disconnect. No inbound connections are supported or desired through this NAT device). Now my question has changed and narrowed in scope. Will my machine respond to arp for the SNAT addresses if they are in the config or must I physically add the addresses to an interface? By the way, the document here was a great help in my understanding of SNAT: http://www.web-articles.info/e/a/title/SNAT-with-iptables/ On Mon, May 25, 2009 at 9:05 PM, George B. <georgeb@xxxxxxxxx> wrote: > It has been a while since I have used Linux NAT (2.4 kernels) and > things have evolved considerably since then. > I am investigating the possibility of using Linux to provide NAT > functionality in a network and want to know if it > can meet my requirements. Here is what I need to be able to do: > > 1. Several groups of internal machines must be NATed to different > outside IP addresses on the same physical interface. > These groups of internal servers are of varying numbers so they don't > rest on even network boundaries. For example: > > 172.16.1.1, 172.16.1.6, and 172.16.1.34 get NATed to 1.1.1.1 > 172.16.1.3, 172.16.2.4 and 172.16.2.73 get NATed to 1.1.1.2 > > All others get NATed to 1.1.1.3 > > 2. Some of these groups of internal machines will have more than 64K > outbound connections and will require more than > one external IP address. To rewrite the example above: > > 172.16.1.1, 172.16.1.6, and 172.16.1.34 get NATed to 1.1.1.1 or 1.1.1.2 > 172.16.1.3, 172.16.2.4 and 172.16.2.73 get NATed to 1.1.1.3 or 1.1.1.4 > > All other traffic NATed to 1.1.1.5 or 1.1.1.6 > > There is only one "inside" and one "outside" interface. > There could be in excess of a Gig of traffic. > > The application is that of a application service provider. The > internal addresses map to machines running applications for various > clients. > These applications must map to outside addresses that associate to > that client. That is a hard requirement placed on this > traffic from an outside organization where much of the traffic is > destined. So one pool of internal machines for client A must map > to an outside IP address pool associated with client A and used only > for traffic from the client A applications. > > So my question before I risk a lot of frustration is if it is even > feasible to go down the Linux/Netfilter route. If so, any hints for > boosting performance would be appreciated as well (e.g. it looks like > there might be a role here for ipset). And if this can be done, > must the outside addresses be contiguous or can they be assigned as > needed as traffic grows? > > Thanks in advance for your time and consideration, > > George > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html