* FW: Setting up 1:1 NAT for DMZ (Repost w/o HTML)
@ 2005-01-05 22:02 Spidal, Glen
2005-01-05 22:13 ` Jason Opperisano
0 siblings, 1 reply; 2+ messages in thread
From: Spidal, Glen @ 2005-01-05 22:02 UTC (permalink / raw)
To: netfilter
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Jason
Opperisano
Sent: Wednesday, January 05, 2005 11:11 AM
To: netfilter@lists.netfilter.org
Subject: Re: Setting up 1:1 NAT for DMZ (Repost w/o HTML)
On Wed, Jan 05, 2005 at 10:28:12AM -0800, Spidal, Glen wrote:
> Hello all,
>
> I would like some advice on setting up 1:1 incoming and outgoing NAT
> for a block of 13 public IP addresses. I looked at the Patch-O-Matic
> NETMAP command, but it appears it is for an entire subnet. Currently
> the addresses are the same for web and email traffic but that may
> change in the future.
>
> I looked at a sample script and have NATing working for my LAN but not
> my DMZ. Two of the public IPs would be for DNS servers. I added
> eth0:1 but am unsure how to process that public IP from there on.
>>ideally--the addresses are contiguous and the last octet of the public
NAT address matches the last octet of the private DMZ address; and you
can script it like so:
>>
>> for i in `seq 11 23`; do
>> ip addr add 1.2.3.${i} dev $EXT_IF
>>
>> iptables -t nat -A PREROUTING -i $EXT_IF -d 1.2.3.${i} \
>> -j DNAT --to-destination 10.1.1.${i}
>>
>> iptables -t nat -A POSTROUTING -o $EXT_IF -s 10.1.1.${i} \
>> -j SNAT --to-source 1.2.3.${i}
>> done
>>
>>if the addresses are non-contiguous--you would just need to modify the
construct of the >>for loop, but if the last octet doesn't match (or
isn't somehow logically related)--the >>above loses its value.
>>
>>-j
>>
>>--
>>"I'll be deep in the cold, cold ground before I recognize Missoura!"
>> --The Simpsons
>>
>> Jason,
>> Thanks so much. I'm new to bash scripting. In the statement below,
>>for i in `seq 11 23`;
>>which digits are the starting point and which ones are the number of
loops?
>>Also, how do I set the subnet on the public Ips added using the ip add
command
>>in the script? Mine happens to be 255.255.255.192.
-Glen
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: FW: Setting up 1:1 NAT for DMZ (Repost w/o HTML)
2005-01-05 22:02 FW: Setting up 1:1 NAT for DMZ (Repost w/o HTML) Spidal, Glen
@ 2005-01-05 22:13 ` Jason Opperisano
0 siblings, 0 replies; 2+ messages in thread
From: Jason Opperisano @ 2005-01-05 22:13 UTC (permalink / raw)
To: netfilter
On Wed, Jan 05, 2005 at 02:02:06PM -0800, Spidal, Glen wrote:
> >> Jason,
> >> Thanks so much. I'm new to bash scripting. In the statement below,
> >>for i in `seq 11 23`;
> >>which digits are the starting point and which ones are the number of
> loops?
the `seq 11 23` generates a list starting at 11, stopping at 23. "seq"
is an external linux command.
> >>Also, how do I set the subnet on the public Ips added using the ip add
> command
> >>in the script? Mine happens to be 255.255.255.192.
the "ip addr add 1.2.3.${i} dev $EXT_IF" statements will add the IP
addresses with a /32 mask--which is fine for the purposes of an alias
for NAT. it also keeps the firewall from ever using one of the alias IP's
as a source address when communicating on the locally-attached network.
only your primary IP on $EXT_IF needs to have the /27 mask.
-j
--
"Here we have an ordinary square.
Whoa! Slow down egghead!"
--The Simpsons
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-01-05 22:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-05 22:02 FW: Setting up 1:1 NAT for DMZ (Repost w/o HTML) Spidal, Glen
2005-01-05 22:13 ` Jason Opperisano
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.