[olug] NAT - netfilter or routing

Matthew G. Marsh mgm at midwestlinux.com
Fri Apr 4 18:55:34 UTC 2003 

On Fri, 4 Apr 2003, David Walker wrote:

> does anyone know of a way to do one to one nat for a range without
> individually specifying each single mapping?

Don't use Netfilter or connection tracking - instead:

Date: Sun, 25 Mar 2001 11:18:25 -0500
From: Ingram Leedy <ingram at myhandshake.com>
To: Matthew G. Marsh <mgm at paktronix.com>
Subject: Re: Static NAT with ISP assigned IP address space to internal
    non-routable address space Help on Howto

Matthew,

Got it -- Is NAT the only thing that relies on connection tracking?

-- Ingram


On Saturday 24 March 2001 15:13, you wrote:
> On Sat, 24 Mar 2001, Ingram Leedy wrote:
> > Thanks Matthew.,
> >
> > Will I still be able to do traffic accounting with iptables on these NAT
> > IP addresses?      I saw where there was a conflict with connection
> > states and iproute2.
>
> Yes - note that if you load iptables_nat it requires ip_conntrack which
> will immediately kill FastNAT (iproute2). IE: FastNAT and iptables
> conntrack are mutually exclusive. However you can still use iptables
> packet filtering and FastNAT together. SO the traffic accounting works
> plus you can filter what gets through to the FastNAT. Note that the NAT is
> done in the routing table so you need to know the addresses entering and
> leaving the box.
>
> Make sense?
>
> > -- Ingram
> >
> > On Saturday 24 March 2001 10:59, you wrote:
> > > On Fri, 23 Mar 2001, Ingram Leedy wrote:
> > > > www.xx.yy.zz/24  (ISP Assigned address space) <-> NAT BOX <->
> > > > 192.168.1.0/24
> > > >
> > > > I sure this is a simple issue.  I have an ISP assigned address space
> > > > and want to statically map each IP from to an internal IP.  For
> > > > example:
> > > >
> > > > www.xx.yy.5 would NAT into 192.168.1.5  all the time.
> > >
> > > Easy way:
> > >
> > > # This will 1-2-1 NAT all 192.168.1.32/27 to 10.1.1.64/27
> > >
> > > ip rule add from 192.168.1.32/27 nat 10.1.1.64 prio 14000
> > > ip route add nat 10.1.1.64/27 via 192.168.1.32
> > >
> > > # Done.
> > >
> > > This will alwasy assure that the #-index address in the FROM network
> > > (192.168.1.32/27 - or whatever) is the same #-index into the TO network
> > > (10.1.1.64/27 - or whatever)
> > >
> > > Caveat - Both FROM and TO networks must be the same scope size.
> > >
> > > > >From what I have learned it seems that iptables doesn't support
> > > > > static NAT
> > > >
> > > > unless I map each IP address individually.   Will someone recommend
> > > > that best approach?
> > > >
> > > > Thanks.
> > > > -- Ingram
> > >
> > > Give that a try - your case FROM=192.168.1.0/24 and TO=www.xx.yy.zz/24
> > > (BTW you also do not need to assign all of the addresses to the outside
> > > ethernet port using iproute2)
> > >
> > > Let me know if you have questions

> i.e.  10.1.2.0/24 gets natted to 192.168.2.0/24 with
> ...
> 10.1.2.3 = 192.168.2.3
> ...
> 10.1.2.232 = 192.168.2.232
> etc.

So for your stuff do:

ip rule add from 192.168.1.0/24 nat 10.1.2.0 prio 14000
ip route add nat 10.1.2.0/24 via 192.168.1.0

OK?

> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 553-2288
Email: mgm at midwestlinux.com
WWW:  http://www.midwestlinux.com
--------------------------------------------------

More information about the OLUG mailing list