Re: NAT question - Stephen Clark

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Clark <sclark46@earthlink.net>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: NAT question
Date: Wed, 25 Jan 2012 12:28:39 -0500	[thread overview]
Message-ID: <4F203BC7.6090708@earthlink.net> (raw)
In-Reply-To: <1327510327.2425.75.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>

On 01/25/2012 11:52 AM, Eric Dumazet wrote:
> Le mercredi 25 janvier 2012 à 10:54 -0500, Stephen Clark a écrit :
>    
>> Can iptables do a network to network nat without having to write out a
>> bunch of nat rules.
>> In other words translate  192.168.198.0/24 to 172.16.10.0/24 without
>> having to write out
>> 256 rules.
>>
>> Also can iptables handle 1000 nat rules like above if they have to be
>> written out on
>> a 1.66ghz intel dual core atom with 1gb of mem.
>>
>> I know this isn't appropriate question for devel list but I didn't find
>> anything googling.
>>
>> Thanks,
>>
>>      
> If you are forced to use 256 rules, you could split them into 16 tables
> of 16 rules and do a hash split.
>
> Since these rules are run only for new connections, it might be OK
> performance wise, depending on rate of connection establishment.
>
> If not, you can try NETMAP :)
>
> # iptables -t nat -A POSTROUTING -s 192.168.198.0/24 -j NETMAP --to 172.16.10.0/24
>
> # iptables -t nat -nvL POSTROUTING
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>   pkts bytes target     prot opt in     out     source               destination
>      0     0 NETMAP     all  --  *      *       192.168.198.0/24     0.0.0.0/0           172.16.10.0/24
>
>    
Thanks Eric,

I assume I need an additional rule like this to translate in the other 
direction?
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -j NETMAP --to 
198.168.198.0/24

iptables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               
destination

    15  2535 NETMAP     all  --  *      *       192.168.198.0/24     
0.0.0.0/0           172.16.10.0/24
     0     0 NETMAP     all  --  *      *       172.16.10.0/24       
0.0.0.0/0           198.168.198.0/24


Also now that I am clued to NETMAP I found this example:
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j NETMAP --to 
10.5.6.0/24

using mangle and PREROUTING - does it matter?

"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty
decreases."  (Thomas Jefferson)

next prev parent reply	other threads:[~2012-01-25 17:28 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-25 15:54 NAT question Stephen Clark
2012-01-25 16:47 ` richard -rw- weinberger
2012-01-25 16:52 ` Eric Dumazet
2012-01-25 17:28   ` Stephen Clark [this message]
  -- strict thread matches above, loose matches on Subject: below --
2012-01-25 16:16 Stephen Clark
2012-01-25 17:30 ` Jan Engelhardt
2005-03-11 15:15 Justin Piszcz
2005-03-11 12:43 Dimitri Yioulos
2005-03-11 12:50 ` Jason Opperisano
2005-03-11 13:56   ` Dimitri Yioulos
2005-03-11 15:13     ` Jason Opperisano
2005-03-11 15:41       ` Dimitri Yioulos
2005-03-11 15:46         ` Jason Opperisano
2005-03-11 13:06 ` John A. Sullivan III
2004-06-30 13:28 Kiran Kumar Immidi
2004-06-30 14:02 ` Vijaya Chandra Vupputuri
2004-06-30 13:25 Kiran Kumar Immidi
2004-06-30 14:21 ` Henrik Nordstrom
2004-06-30 11:36 Kiran Kumar Immidi
2004-06-30 11:55 ` Henrik Nordstrom
2004-06-30 12:26 ` Vijaya Chandra Vupputuri
2003-07-19 15:09 Ray Blair
2003-04-10 10:30 Philippe Dhont   (Sea-ro)
2003-04-09  9:51 Philippe Dhont   (Sea-ro)
2003-04-09 10:27 ` Cedric Blancher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F203BC7.6090708@earthlink.net \
    --to=sclark46@earthlink.net \
    --cc=eric.dumazet@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.