From: Robert LeBlanc <robert@leblancnet.us>
To: "Martin Schiøtz" <malinux@gmail.com>
Cc: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: NAT
Date: Tue, 03 Jul 2007 08:29:46 -0600 [thread overview]
Message-ID: <C2AFB97A.1D36E%robert@leblancnet.us> (raw)
In-Reply-To: <e208f5d10707030055u69eef541qfe52bb0c3add3332@mail.gmail.com>
On 7/3/07 1:55 AM, "Martin Schiøtz" <malinux@gmail.com> wrote:
> On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
>>> I'm going to setup a bridged NAT linux box for many users. I want one
>>> outside IP address to serve for instance 10.0.0.0/22.
>>
>> Why do this with bridging? If you have a 10.0.0.0/22 network like you
>> say, it is private and thus not globally routable. So, to reach the
>> internet you will have to NAT to a globally routable IP. Thus you have
>> a private subnet and a public subnet which is an ideal environment for a
>> layer 3 router. Even if you are not going to a public IP but rather
>> another private IP, the same scenario holds true.
>>
>> Or are you for some wanting wanting to perform a layer 3 function on
>> layer 2? If so, can I ask why?
>
> Ok, I think your right here.
>
>>
>>> I want to be sure that each local IP address always has 1024 NAT
>>> sessions available and that sessions is kept even if the timeout is
>>> reached. If 1024 sessions is reached and a new session is being
>>> established then it will take over the oldest (timed out) session.
>>
>> I'm not sure that you will be able to specify how many NAT sessions each
>> system will have and / or how to control the expiration there of. I do
>> know that you will have (or did have to in previous kernels) to have a
>> fair amount of RAM for the connection tracking table to not wrap on a
>> network of that size.
>>
>>> Is this possible with iptables?
>>
>> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>>
>> As far as controlling how many sessions are reserved / maintained even
>> beyond timeouts, I don't know. I'm betting not, especially to the latter.
>>
>
> I guess the question was more about controlling the number of NAT
> sessions pr. lokal IP address?
If you give iptables a range, it will try to do as little port mangeling as
possible, so I beilieve it will try to hold onto connections as long as
possible. We saw quite a performance when we moved our 100 users from one
Natted address to 64. I guess the mangeling made that much of a difference.
Robert LeBlanc
BioAg Computer Support
Brigham Young University
leblanc@byu.edu
(801)422-1882
next prev parent reply other threads:[~2007-07-03 14:29 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-03 6:52 NAT Martin Schiøtz
2007-07-03 7:27 ` NAT Grant Taylor
2007-07-03 7:55 ` NAT Martin Schiøtz
2007-07-03 14:29 ` Robert LeBlanc [this message]
2007-07-30 14:11 ` check a simple set of rules richard
-- strict thread matches above, loose matches on Subject: below --
2004-06-06 17:36 Nat mafioso1823
2004-06-07 7:38 ` Nat Antony Stone
2003-11-26 5:31 nat Paul Fontenot
2003-11-26 6:33 ` nat Daniel Chemko
2003-10-01 11:11 NAT tlussnig
2003-10-03 10:22 ` NAT Harald Welte
2002-09-08 20:43 Nat Mattia Martinello
2002-09-08 21:00 ` Nat Antony Stone
2002-09-08 21:27 ` Nat R. Sterenborg
2002-09-08 21:49 ` Nat Anders Fugmann
2002-06-14 8:29 nat saied tabandeh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C2AFB97A.1D36E%robert@leblancnet.us \
--to=robert@leblancnet.us \
--cc=malinux@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox