Re: NAT - Grant Taylor

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: NAT
Date: Tue, 03 Jul 2007 02:27:02 -0500	[thread overview]
Message-ID: <4689FA46.2030307@riverviewtech.net> (raw)
In-Reply-To: <e208f5d10707022352j39395f6awc172a563a8b0d4@mail.gmail.com>

On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> I'm going to setup a bridged NAT linux box for many users. I want one 
> outside IP address to serve for instance 10.0.0.0/22.

Why do this with bridging?  If you have a 10.0.0.0/22 network like you 
say, it is private and thus not globally routable.  So, to reach the 
internet you will have to NAT to a globally routable IP.  Thus you have 
a private subnet and a public subnet which is an ideal environment for a 
layer 3 router.  Even if you are not going to a public IP but rather 
another private IP, the same scenario holds true.

Or are you for some wanting wanting to perform a layer 3 function on 
layer 2?  If so, can I ask why?

> I want to be sure that each local IP address always has 1024 NAT 
> sessions available and that sessions is kept even if the timeout is 
> reached. If 1024 sessions is reached and a new session is being 
> established then it will take over the oldest (timed out) session.

I'm not sure that you will be able to specify how many NAT sessions each 
system will have and / or how to control the expiration there of.  I do 
know that you will have (or did have to in previous kernels) to have a 
fair amount of RAM for the connection tracking table to not wrap on a 
network of that size.

> Is this possible with iptables?

The first part of what you want to do (layer 2 or layer 3) NATing, yes.

As far as controlling how many sessions are reserved / maintained even 
beyond timeouts, I don't know.  I'm betting not, especially to the latter.

Grant. . . .

next prev parent reply	other threads:[~2007-07-03  7:27 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-07-03  6:52 NAT Martin Schiøtz
2007-07-03  7:27 ` Grant Taylor [this message]
2007-07-03  7:55   ` NAT Martin Schiøtz
2007-07-03 14:29     ` NAT Robert LeBlanc
2007-07-30 14:11       ` check a simple set of rules richard
  -- strict thread matches above, loose matches on Subject: below --
2004-06-06 17:36 Nat mafioso1823
2004-06-07  7:38 ` Nat Antony Stone
2003-11-26  5:31 nat Paul Fontenot
2003-11-26  6:33 ` nat Daniel Chemko
2003-10-01 11:11 NAT tlussnig
2003-10-03 10:22 ` NAT Harald Welte
2002-09-08 20:43 Nat Mattia Martinello
2002-09-08 21:00 ` Nat Antony Stone
2002-09-08 21:27 ` Nat R. Sterenborg
2002-09-08 21:49 ` Nat Anders Fugmann
2002-06-14  8:29 nat saied tabandeh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4689FA46.2030307@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox