[vox-tech] bridging subnets
Jeff Newmiller
vox-tech@lists.lugod.org
Tue, 14 Jan 2003 00:49:25 -0800 (PST)
On Mon, 13 Jan 2003, Joel Baumert wrote:
> You could have all of the computers with 192.* addresses
> and have the Linux box using ipchains or iptables
> translate any packet on the external address to an
> internal address... i.e.
>
> 201.123.32.12 <-> 192.168.1.12
> 201.123.32.13 <-> 192.168.1.13
> 201.123.32.14 <-> 192.168.1.14
> 201.123.32.15 <-> 192.168.1.15
> 201.123.32.16 <-> NAT
> ...
> NAT <-> 192.168.0.2
> NAT <-> 192.168.0.3
> NAT <-> 192.168.0.4
> ...
>
> You can try out this script... It may even work :-). The
> masquerading should be correct, but the ip mappings may not
> be and I don't really have a good setup to try them. There
> is probably someone better with iptables to give you a better
> answer. They final script is probably more complicated, but
> this might give you something to start with.
>
> You would configure everyone with a 255.255.0.0 netmask with
> the Linux box with 201.123.32.16 and 192.168.0.1 for addresses.
The dnat idea is a good one (assuming you are running kernel 2.4), except
that you DON'T WANT TO DO IT TO YOUR INTERNAL NETWORK.
External servers should be put into a DMZ network. Data connectivity
between internal network and DMZ should originate from the internal
network only, to prevent a cracker from plowing through your network one
system at a time.
See http://linuxjournal.com/article.php?sid=4415, for example.
>
> Joel
>
>
> #
> # iptables.
> #
>
> modprobe iptable_nat
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t nat -F POSTROUTING
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
>
> iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.12 -j DNAT -to 192.168.1.12
> iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.13 -j DNAT -to 192.168.1.13
> iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.14 -j DNAT -to 192.168.1.14
> iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.15 -j DNAT -to 192.168.1.15
>
>
> On Mon, Jan 13, 2003 at 03:31:59PM -0800, Ken Bloom wrote:
> > I'm inventing some random numbers (they're not even valid IP
> > addresses) to explain the problem better
> >
> > The following computers are connected via hub to the DSL modem:
> > 201.123.321.12
> > 201.123.321.13
> > 201.123.321.14
> > 201.123.321.15
> > 201.123.321.16 (eth0) / 192.168.0.1 (eth1)
> > 192.168.0.2
> > 192.168.0.3
> >
> > What can be done so that the 201.123.321.* computers can see the
> > 192.168.0.* computers? Bear in mind that these computers are not
> > necessarily all Linux computers, but that we know
> > 201.123.321.16/192.168.0.1 is a Linux computer.
> >
> >
> > > ---ORIGINAL MESSAGE---
> > > From: Rod Roark <rod@sunsetsystems.com>
> > > Organization: Sunset Systems
> > > To: vox-tech@lists.lugod.org
> > > Subject: Re: [vox-tech] bridging subnets
> > > Date: Mon, 13 Jan 2003 06:53:57 -0800
> > > Reply-To: vox-tech@lists.lugod.org
> > >
> > > I'm surely being dense, but I don't understand what you
> > > mean. What are the subnets in question?
> > >
> > > Here's a thought that may or may not apply. Perhaps you
> > > can put all the machines on a single LAN behind the Linux
> > > firewall. Note that you can assign all 5 external IP's to
> > > this Linux box and then port-forward (with iptables) to
> > > other machines depending on the destination IP address
> > > (and/or port number) of incoming packets.
> > >
> >
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<jdnewmil@dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------