ip alias

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Sep 28 17:17:13 CEST 2004


John Black wrote:
> eth0 161.31.31.22 
> eth0:0 161.31.31.23 (i hope)
> eth1 192.168.1.1

So, eth0 is your external interface with two IP addresses assigned to 
it, and eth1 is interface to your local network?  Don't hope if the 
interface has an address assigned.  Check it with "ifconfig" or "ip 
address show".

Access to the Internet from the firewall box will work out of the box. 
Linux will use address of eth0 for all packets that are to leave the box 
out of eth0.

To allow hosts on your local network to access the internet, you need to 
enable forwarding and define simple NAT rule:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/16 -j SNAT 
--to-source 161.31.31.23

If you wanted to allow access *from* the Internet to one of the hosts on 
your local network (that doesn't have public IP address), than you would 
use DNAT target.

> this is how it was shown in the double nat howto.  so i was
> trying to take that and make it work for a signle.

Howtos are nice, but having an understanding on how things work should 
be priority.  Otherwise you end up with configuration that you have no 
idea what it is doing.  And that is a very bad thing, especially when 
building an firewall.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7



More information about the netfilter mailing list