(no subject)

Jason Pappas jpappas@sharemedia.com
Tue, 17 Jul 2001 14:07:51 -0400 

This is a little script we use to add nat entries.
Our network.

Public IP range 111.222.333.32-63 (255.255.255.224)
Address of Firewall outside interface: 192.168.1.2
Private IP range 10.1.0.0/16

It's sort of a weird setup in that the public IP addresses are routed
through the firewall and the interface of the firewall does not specifically
have a public address.  Instead, everything is done through NAT.  (it wasn't
my decision to route it that way.  I just had to configure the firewall)

I hope this script helps.  This script is coupled with a separate script for
our firewall rules.  This just does our nat..

-- start script --

#!/bin/sh

#  Small lil' script to do nat.

new_nat ()
{
        if [ $# -lt 2 ]
        then
                echo "$0: Not enough parameters"
                return
        fi
        INADDR="$1"
        OUTADDR="$2"

        /sbin/iptables -t nat -A PREROUTING -d "$OUTADDR" -j DNAT --to
"$INADDR"  -v
        /sbin/iptables -t nat -A POSTROUTING -s "$INADDR" -o eth0 -j
SNAT --to " $OUTADDR" -v
}

/sbin/iptables -F -t nat -v

new_nat 10.1.1.8        111.22.333.33
new_nat 10.1.1.13       111.22.333.34
new_nat 10.1.1.18       111.22.333.35
new_nat 10.1.1.254      111.22.333.36
new_nat 10.1.1.215      111.222.333.41
new_nat 10.1.1.218      111.222.333.42
new_nat 10.1.1.109      111.222.333.44
new_nat 192.168.1.2     111.222.333.40          # Scylla Outside interface

# Make all connections out bound appear as real addresses
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT -v
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -v

# Create a default NAT Pool
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j SNAT --to
111.222.333.52-111.222.333.62 -v
# end of script


Wm. Jason Pappas
Sharemedia, Inc.
301-947-3053

----- Original Message -----
From: "Morgan, Gary" <gmorgan@WestportBenefits.net>
To: <netfilter@lists.samba.org>
Sent: Tuesday, July 17, 2001 1:21 PM
Subject: (no subject)


> Can a one-to-one and a one-to-many NAT be done on a single subnet?
>
> Here's what I have:
>
> I have an internet connection with 5 usable IPs
> lets say 1.2.3.4 - 1.2.3.8
> Internal Network containing serveral computers
> lets say 192.168.0.1/24
> I have two ethernet cards on Linux machine (eth0 inside, eth1 outside)
>
> And here's what I want:
> I want 3 of my machines to do a one-to-one NAT
> 192.168.0.1 = 1.2.3.4
> 192.168.0.2 = 1.2.3.5
> 192.168.0.3 = 1.2.3.6
> and the rest to share the remaining IPs via many-to-one NAT.
> 192.168.0.4-192.168.0.254 = 1.2.3.7-8
>
> Can this be done? and if so how?
>
> I'm assuming I will have to assign all 5 outside IP's to my Linux eth1
> interface is this correct?
>
>
>
>