mixing static and dynamic mappings

All of lore.kernel.org
 help / color / mirror / Atom feed

* mixing static and dynamic mappings
@ 2002-06-08  1:38 Patrick Conlin
  2002-06-08  9:39 ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Patrick Conlin @ 2002-06-08  1:38 UTC (permalink / raw)
  To: netfilter

seeking advice...

i have a /29 range of public ips from my isp. all but one of the ip
addresses are taken up by static mappings (servers of various
functions/domains) to addresses on my 10.1.1.0/24 internal network. what
i'd like to do with the remaining public ip address is use it as a sort
of MASQUERADE ip address for all remaining non-server machines on the
network (so the machines on the network that aren't servers can all
share an ip for internet access). i've got a dhcp server set up that's
dishing out internal ips in the 10.1.1.200-240 range only, so i'm
wondering if i could so something like:

iptables -t nat -A POSTROUTING -s 10.1.1.200-10.1.1.240 -j SNAT
--to-source 207.224.76.205

and combine it with state ESTABLISHED

somehow so that just that range of ips gets a pnat-style translation for
basic browsing, etc.

unfortunately the basic iptables command above just gives an error, as
it should. i'm pretty sure i'm going about this the wrong way, so would
greatly appreciate anyone's suggestions!

thanks a lot,

-=p=-

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: mixing static and dynamic mappings
  2002-06-08  1:38 mixing static and dynamic mappings Patrick Conlin
@ 2002-06-08  9:39 ` Antony Stone
  2002-06-08 10:31   ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2002-06-08  9:39 UTC (permalink / raw)
  To: netfilter

On Saturday 08 June 2002 2:38 am, Patrick Conlin wrote:

> i have a /29 range of public ips from my isp. all but one of the ip
> addresses are taken up by static mappings (servers of various
> functions/domains) to addresses on my 10.1.1.0/24 internal network.

> what i'd like to do with the remaining public ip address is use it as a sort
> of MASQUERADE ip address for all remaining non-server machines on the
> network

> I'm wondering if i could do something like:
>
> iptables -t nat -A POSTROUTING -s 10.1.1.200-10.1.1.240 -j SNAT
> --to-source 207.224.76.205
>
> and combine it with state ESTABLISHED
>
> somehow so that just that range of ips gets a pnat-style translation for
> basic browsing, etc.
>
> unfortunately the basic iptables command above just gives an error, as
> it should. i'm pretty sure i'm going about this the wrong way, so would
> greatly appreciate anyone's suggestions!

Netfiler won't accept an arbitrary "from-to" IP address range - the only way 
you can specify a range is with "base IP/masklength", so you'd have to be 
able to specify the range you want as 10.1.1.200/27 (or something - I haven't 
checked to see if this is a sensible specification, so it almost certainly 
isn't).

However, you may not know that you might not need to bother specifying a 
range.

Netfilter can quite happily deal with:

a) masqerading machines behind an already-used address for some other service 
(it automagically makes sure that masquerade port numbers are chosen not to 
conflict with anything else already mapped onto that address)

b) multiple SNAT rules, where you specify your servers by source address 
first, and then anything which hasn't already been matched (and had its 
source address changed) matches on the last rule

eg:

iptables -A POSTROUTING -t nat -s server1 -j SNAT --to ext1
iptables -A POSTROUTING -t nat -s server2 -j SNAT --to ext2
iptables -A POSTROUTING -t nat -s server3 -j SNAT --to ext3
iptables -A POSTROUTING -t nat -j SNAT ext4

will map anything which isn't server1, server2 or server3 onto ext4

Therefore you can do what you want without actually having to specify the 
address range :-)


Antony.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: mixing static and dynamic mappings
  2002-06-08  9:39 ` Antony Stone
@ 2002-06-08 10:31   ` Antony Stone
  0 siblings, 0 replies; 3+ messages in thread
From: Antony Stone @ 2002-06-08 10:31 UTC (permalink / raw)
  To: netfilter

On Saturday 08 June 2002 10:39 am, Antony Stone wrote:

> iptables -A POSTROUTING -t nat -s server1 -j SNAT --to ext1
> iptables -A POSTROUTING -t nat -s server2 -j SNAT --to ext2
> iptables -A POSTROUTING -t nat -s server3 -j SNAT --to ext3
> iptables -A POSTROUTING -t nat -j SNAT ext4
>
> will map anything which isn't server1, server2 or server3 onto ext4

Ooops !   Sorry - I got that last line wrong - it should still specify that 
the source address is somewhere in your internal range, otherwise it'll just 
SNAT everything !!!

This is the correct example:

iptables -A POSTROUTING -t nat -s 192.168.1.10 -j SNAT --to ext1IP
iptables -A POSTROUTING -t nat -s 192.168.1.16 -j SNAT --to ext2IP
iptables -A POSTROUTING -t nat -s 192.168.1.55 -j SNAT --to ext3IP
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -j SNAT --to ext4IP



Antony.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2002-06-08 10:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-08  1:38 mixing static and dynamic mappings Patrick Conlin
2002-06-08  9:39 ` Antony Stone
2002-06-08 10:31   ` Antony Stone

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.