Re: Advice on best way to set up multi-route NAT for lots of IPs

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Beverley <andy@andybev.com>
To: Anton Melser <anton@linux.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Advice on best way to set up multi-route NAT for lots of IPs
Date: Thu, 05 Jan 2012 07:35:24 +0000	[thread overview]
Message-ID: <1325748924.2270.334.camel@andybev-desktop> (raw)
In-Reply-To: <CAKywjPrbjoLhcvPXVYg+8kZ53rPRJ5+dhePx4FB=OkpNjqUGxw@mail.gmail.com>

On Sun, 2012-01-01 at 17:10 +0100, Anton Melser wrote:
> Hi,
> I am very new to iptables but have been trying hard to learn as much
> as I can... I have a reasonably simple need but performance might
> quickly become an issue so would like some advice on the best way to
> go forward.
> So, I have around 1600 public IPs in 4 blocks (3 x /23 + /25 on
> different ISPs). I have a certain number of machines (somewhere from 3
> to 8, needs to be variable and changeable without FW reconfiguration),
> and each one needs to be able to send email from each external IP (and
> needs to be able to do this deterministically). The only traffic
> should be to port 25 on the external destination IPs - the machines
> are only sending email, never receiving, so AFAICT everything can be
> closed inbound (at least for NEW).
> I thought that the best way to go would be to set up NAT using blocks
> in the 10.0.0.0 range. So say for each external IP I would have a /24,
> giving me up to 250-odd potential internal machines. So 10.1.1.1,
> 10.1.1.2, 10.1.1.3, etc. would map to 1.1.1.1; 10.1.2.1, 10.1.2.2,
> 10.1.2.3, etc. would map to 1.1.1.2, etc.
> I have been reading as many sites as I can but I can't work out the
> best way to go forward.

So you have something like:

Server A ----|
             |
Server B ----|
             |-----> Linux router ----> Internet
Server C ----|
             |
Server D ----|

Correct? And it's the Linux router you're asking about?

> 
> AFAICT the best way to do this is with iptables SNAT - is that the
> case?

I think the main question is: how does the Linux router know which IP
address that the mail should be sent from? Server A/B/C/D somehow need
to pass this information on. This can't be done with fwmarks, because
they aren't retained between on packets between servers.

>  It's not 1 to 1 so it needs to be stateful, and can't be done
> with just iproute2 stuff - am I correct in my understanding?

You might be able to do this with iproute2, but depends on answer to
above.

> 
> There seem to be many different ways I could do this in terms of
> routing - at least by source IP, TOS, and fwmark.

I'm going to guess that source IP is the only option. So can you set the
source IP from each server depending on its eventual external IP
address?

Andy

next prev parent reply	other threads:[~2012-01-05  7:35 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-01 16:10 Advice on best way to set up multi-route NAT for lots of IPs Anton Melser
2012-01-01 20:24 ` Lloyd Standish
2012-01-01 20:41   ` Anton Melser
2012-01-01 21:36     ` Anton Melser
2012-01-01 22:11     ` Lloyd Standish
2012-01-02  9:00       ` Anton Melser
2012-01-02 16:10         ` Lloyd Standish
2012-01-02 22:14           ` Anton Melser
2012-01-03  0:46             ` Lloyd Standish
2012-01-03  8:56               ` Anton Melser
2012-01-04 15:15                 ` Anton Melser
2012-01-05  7:37             ` Andrew Beverley
2012-01-02 18:01       ` Pete
2012-01-02 21:14         ` Anton Melser
2012-01-02 12:38 ` Ed W
2012-01-02 13:17   ` Anton Melser
2012-01-27 23:54     ` Ed W
2012-01-05  7:35 ` Andrew Beverley [this message]
2012-01-05  8:15   ` Anton Melser
2012-01-05 17:06     ` Andrew Beverley
2012-01-05 18:39     ` Rob Sterenborg (Lists)
2012-01-06  5:15       ` Anton Melser
2012-01-06  7:28         ` Andrew Beverley
2012-01-05  8:59 ` Rob Sterenborg (lists)
2012-01-05 11:59   ` Anton Melser
2012-01-05 13:17     ` Rob Sterenborg (lists)
2012-01-05 16:59     ` Andrew Beverley
2012-01-05 17:08       ` Rob Sterenborg (lists)
2012-01-05 17:14         ` Andrew Beverley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1325748924.2270.334.camel@andybev-desktop \
    --to=andy@andybev.com \
    --cc=anton@linux.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).