* NAT with two external IP numbers
@ 2006-11-16 12:37 Mogens Kjaer
2006-11-16 16:32 ` former03 | Baltasar Cevc
0 siblings, 1 reply; 3+ messages in thread
From: Mogens Kjaer @ 2006-11-16 12:37 UTC (permalink / raw)
To: Netfilter (E-mail)
I'm trying to solve a problem:
We have now:
Internal network: 172.20.0.0/16
External network: 130.226.184.38
This works without problems running a Linux
box with iptables and MASQUERADING
The problem is, that due to a license agreement
(online journal access), some of our users on
the 172.20.0.0 network must have access, and some
don't.
My idea was:
Give the linux box two IP numbers externally,
e.g. 130.226.184.38 and 130.226.184.39, register
130.226.184.38 with the journal, change the
internal IP numbers so that:
172.20.0.0/17 has access
172.20.128.0/17 does not have access
So I want 172.20.0.1 - 172.20.127.255 to be
masqueraded as 130.226.184.38 externally,
and 172.20.128.0 - 172.20.255.254 to be
masqueraded as 130.226.184.39
I've tried adding two IP numbers externally:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:02:55:11:EF:03
inet addr:130.226.184.38 Bcast:130.226.184.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1774 errors:0 dropped:0 overruns:0 frame:0
TX packets:2543 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:298539 (291.5 KiB) TX bytes:237100 (231.5 KiB)
eth0:1 Link encap:Ethernet HWaddr 00:02:55:11:EF:03
inet addr:130.226.184.39 Bcast:130.226.184.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
and use the following when setting up masquerading:
/sbin/iptables -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 172.20.128.0/17 -o eth0:1 -j
MASQUERADE
but it doesn't work. Packages comming from 172.20.128.0 addresses
does not get their source address changed, e.g. if I ping another
machine on the 130.226.184.x network from the 172.20.128.x network,
the machine will receive packets with a 172.20.128.x from address,
not 130.226.184.39
How do I solve this problem?
Mogens
--
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk@crc.dk Homepage: http://www.crc.dk
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: NAT with two external IP numbers
2006-11-16 12:37 NAT with two external IP numbers Mogens Kjaer
@ 2006-11-16 16:32 ` former03 | Baltasar Cevc
2006-11-17 7:24 ` Mogens Kjaer
0 siblings, 1 reply; 3+ messages in thread
From: former03 | Baltasar Cevc @ 2006-11-16 16:32 UTC (permalink / raw)
To: Mogens Kjaer; +Cc: Netfilter (E-mail)
Hi Mogens,
> Give the linux box two IP numbers externally,
> e.g. 130.226.184.38 and 130.226.184.39, register
> 130.226.184.38 with the journal, change the
> internal IP numbers so that:
>
> [...]
>
> /sbin/iptables -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j
> MASQUERADE
> /sbin/iptables -t nat -A POSTROUTING -s 172.20.128.0/17 -o eth0:1 -j
> MASQUERADE
eth0:1 is not a real interface so no packets can go out there. It would
be
good if iptables would throw an error, but probably it's hard for the
software
to tell what are 'real' interfaces.
You must use the SNAT target to achieve what you want:
/sbin/iptables -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j SNAT
--to 130.226.184.38
/sbin/iptables -t nat -A POSTROUTING -s 172.20.128.0/17 -o eth0 -j SNAT
--to 130.226.184.39
(Please note that both rules use eth0 as that's the interface where the
packets
go out).
Hope that helps,
Baltasar
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: NAT with two external IP numbers
2006-11-16 16:32 ` former03 | Baltasar Cevc
@ 2006-11-17 7:24 ` Mogens Kjaer
0 siblings, 0 replies; 3+ messages in thread
From: Mogens Kjaer @ 2006-11-17 7:24 UTC (permalink / raw)
To: Netfilter (E-mail)
former03 | Baltasar Cevc wrote:
> Hi Mogens,
>
>> Give the linux box two IP numbers externally,
>> e.g. 130.226.184.38 and 130.226.184.39, register
>> 130.226.184.38 with the journal, change the
>> internal IP numbers so that:
>>
> > [...]
>>
>> /sbin/iptables -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j
>> MASQUERADE
>> /sbin/iptables -t nat -A POSTROUTING -s 172.20.128.0/17 -o eth0:1 -j
>> MASQUERADE
>
> eth0:1 is not a real interface so no packets can go out there. It would be
> good if iptables would throw an error, but probably it's hard for the
> software
> to tell what are 'real' interfaces.
>
> You must use the SNAT target to achieve what you want:
> /sbin/iptables -t nat -A POSTROUTING -s 172.20.0.0/17 -o eth0 -j SNAT
> --to 130.226.184.38
> /sbin/iptables -t nat -A POSTROUTING -s 172.20.128.0/17 -o eth0 -j SNAT
> --to 130.226.184.39
Thanks! It works.
iptables did give me a warning about eth0:1, but an "iptables -t nat -L"
did show that the command was accepted.
Mogens
--
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk@crc.dk Homepage: http://www.crc.dk
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-11-17 7:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-16 12:37 NAT with two external IP numbers Mogens Kjaer
2006-11-16 16:32 ` former03 | Baltasar Cevc
2006-11-17 7:24 ` Mogens Kjaer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox