Re: Advice on best way to set up multi-route NAT for lots of IPs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2012-01-05 at 16:59 +0000, Andrew Beverley wrote:
> On Thu, 2012-01-05 at 12:59 +0100, Anton Melser wrote:
> > On 5 January 2012 09:59, Rob Sterenborg (lists) <lists@xxxxxxxxxxxxxxx> wrote:
> > > On Sun, 2012-01-01 at 17:10 +0100, Anton Melser wrote:
> > >> I thought that the best way to go would be to set up NAT using blocks
> > >> in the 10.0.0.0 range. So say for each external IP I would have a /24,
> > >> giving me up to 250-odd potential internal machines. So 10.1.1.1,
> > >> 10.1.1.2, 10.1.1.3, etc. would map to 1.1.1.1; 10.1.2.1, 10.1.2.2,
> > >> 10.1.2.3, etc. would map to 1.1.1.2, etc.
> > >> I have been reading as many sites as I can but I can't work out the
> > >> best way to go forward.
> > >
> > > So, I think I understand that you want to SNAT a complete private subnet
> > > to a corresponding public subnet. Is the NETMAP target usable for you,
> > > or am I misunderstanding you completely?
> > > Something like:
> > >
> > > iptables -t nat -A POSTROUTING -s ${private_subnet} -j NETMAP --to
> > > ${public_subnet}
> > 
> > Thanks for the suggestion. It appears that NETMAP does 1:1 and both
> > SNAT and DNAT. I need to do many:1 lots of times (so (many:1)*n),
> 
> Are you sure? Remember: we're talking IP addresses here (not physical
> devices), and I thought you actually wanted to do one IP address from
> the internal network to one external IP address. The IP address on the
> internal network stipulating which external address to use.
> 
> So, I've never used NETMAP, but it sounds like it would work for you.
> 
> >  and
> > I don't need (or want actually) DNAT.
> 
> Especially, if as Rob says, it'll do SNAT when used in POSTROUTING.

Except if the OP wants to NAT, say, a /24 to each of his public IP's;
then it's not going to work with NETMAP. And that is what I understood
when I re-read his first post. NETMAP will only do a 1:1 NAT (each
private IP to a corresponding public IP) for networks.


--
Rob


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux