Mailing List Archive: NAT

NAT

Sep 27, 2001, 1:15 PM

Post #1 of 5 (2844 views)

Hi to all.

I have Installed Debian woody firewall with kernel 2.4.6 and iptables.

I have two ethernet NICs (one fast ethernet eth0 - 172.16.242.1/16 and
one Gigabit - Sysconnect - eth1 - 192.168.1.131/24 attached to a
CISCO 6009 VLAN).

The first NIC is attached in a wide B class 172.16.0.0/16 interconnected
via varius HUBs. I don't know everything else about this LAN because I
don't administer it.
The second NIC is attached in my private LAN through CISCO 6009 and it's
VLANs. In it there are web servers, media servers and so on. I
administer it.

The problem is with NAT.

My web servers have the cluster address of 192.168.1.110/24. I have to
NAT this private addres to the 172.16.0.0/16 LAN. So I have made:

iptables -A PREROUTING -t nat -d 172.16.242.6 -i eth0 -j DNAT
--to-destination 192.168.1.110

So in 172.16.0.0/16 my web servers are known as 172.16.242.6.

Well if I make a ping 172.16.242.6 from my Linux client
(172.16.241.10/16) I don't see nothing.
If I add this line to my Linux client

route add -net 172.16.242.0/24 gw 172.16.242.1

and I ping 172.16.242.6 I see

64 bytes from 172.16.242.6: icmp_seq=40 ttl=126 time=1.0 ms
64 bytes from 172.16.242.6: icmp_seq=40 ttl=126 time=1.1 ms (DUP!)
64 bytes from 172.16.242.6: icmp_seq=41 ttl=126 time=1.0 ms
64 bytes from 172.16.242.6: icmp_seq=41 ttl=126 time=1.1 ms (DUP!)
64 bytes from 172.16.242.6: icmp_seq=42 ttl=126 time=1.0 ms
64 bytes from 172.16.242.6: icmp_seq=42 ttl=126 time=1.1 ms (DUP!)
64 bytes from 172.16.242.6: icmp_seq=43 ttl=126 time=2.9 ms

(the DUP! is because my stupid Windows web servers with Network Load
Balancing are two fisical servers)

If I remove the routing line

route del -net 172.16.242.0/24 gw 172.16.242.1

my ping doesn't work.

Obviously I can't' add this routing line to all hosts in 172.160.0.0/16,
so how can I solve this problem?
I repeat that all hosts in 172.16.0.0/16 class are directly connected
via various HUBs

Thanks a lot

Re: Nat [ In reply to ]

Antony at Soft-Solutions

Jun 7, 2004, 12:38 AM

Post #2 of 5 (2751 views)

Permalink

On Sunday 06 June 2004 6:36 pm, mafioso1823@contourmediagroup.com wrote:

> I am very new to iptables and i wanted to know how would i do a hide nat
> and a static nat? Any help is very much appreciated.

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html should explain
things, and http://iptables-tutorial.frozentux.net/iptables-tutorial.html
will give you more information on NAT, and netfilter in general.

Please feel free to come back and ask on the list if you have specific
questions regarding a particular setup.

Regards,

Antony.

--
The truth is rarely pure, and never simple.

- Oscar Wilde

Please reply to the list;
please don't CC me.

Re: NAT [ In reply to ]

gtaylor at riverviewtech

Jul 3, 2007, 12:27 AM

Post #3 of 5 (2750 views)

Permalink

On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> I'm going to setup a bridged NAT linux box for many users. I want one
> outside IP address to serve for instance 10.0.0.0/22.

Why do this with bridging? If you have a 10.0.0.0/22 network like you
say, it is private and thus not globally routable. So, to reach the
internet you will have to NAT to a globally routable IP. Thus you have
a private subnet and a public subnet which is an ideal environment for a
layer 3 router. Even if you are not going to a public IP but rather
another private IP, the same scenario holds true.

Or are you for some wanting wanting to perform a layer 3 function on
layer 2? If so, can I ask why?

> I want to be sure that each local IP address always has 1024 NAT
> sessions available and that sessions is kept even if the timeout is
> reached. If 1024 sessions is reached and a new session is being
> established then it will take over the oldest (timed out) session.

I'm not sure that you will be able to specify how many NAT sessions each
system will have and / or how to control the expiration there of. I do
know that you will have (or did have to in previous kernels) to have a
fair amount of RAM for the connection tracking table to not wrap on a
network of that size.

> Is this possible with iptables?

The first part of what you want to do (layer 2 or layer 3) NATing, yes.

As far as controlling how many sessions are reserved / maintained even
beyond timeouts, I don't know. I'm betting not, especially to the latter.

Grant. . . .

Re: NAT [ In reply to ]

malinux at gmail

Jul 3, 2007, 12:55 AM

Post #4 of 5 (2765 views)

Permalink

On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> > I'm going to setup a bridged NAT linux box for many users. I want one
> > outside IP address to serve for instance 10.0.0.0/22.
>
> Why do this with bridging? If you have a 10.0.0.0/22 network like you
> say, it is private and thus not globally routable. So, to reach the
> internet you will have to NAT to a globally routable IP. Thus you have
> a private subnet and a public subnet which is an ideal environment for a
> layer 3 router. Even if you are not going to a public IP but rather
> another private IP, the same scenario holds true.
>
> Or are you for some wanting wanting to perform a layer 3 function on
> layer 2? If so, can I ask why?

Ok, I think your right here.

>
> > I want to be sure that each local IP address always has 1024 NAT
> > sessions available and that sessions is kept even if the timeout is
> > reached. If 1024 sessions is reached and a new session is being
> > established then it will take over the oldest (timed out) session.
>
> I'm not sure that you will be able to specify how many NAT sessions each
> system will have and / or how to control the expiration there of. I do
> know that you will have (or did have to in previous kernels) to have a
> fair amount of RAM for the connection tracking table to not wrap on a
> network of that size.
>
> > Is this possible with iptables?
>
> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>
> As far as controlling how many sessions are reserved / maintained even
> beyond timeouts, I don't know. I'm betting not, especially to the latter.
>

I guess the question was more about controlling the number of NAT
sessions pr. lokal IP address?

- Marftin

Re: NAT [ In reply to ]

robert at leblancnet

Jul 3, 2007, 7:29 AM

Post #5 of 5 (2755 views)

Permalink

On 7/3/07 1:55 AM, "Martin Schiøtz" <malinux@gmail.com> wrote:

> On 7/3/07, Grant Taylor <gtaylor@riverviewtech.net> wrote:
>> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
>>> I'm going to setup a bridged NAT linux box for many users. I want one
>>> outside IP address to serve for instance 10.0.0.0/22.
>>
>> Why do this with bridging? If you have a 10.0.0.0/22 network like you
>> say, it is private and thus not globally routable. So, to reach the
>> internet you will have to NAT to a globally routable IP. Thus you have
>> a private subnet and a public subnet which is an ideal environment for a
>> layer 3 router. Even if you are not going to a public IP but rather
>> another private IP, the same scenario holds true.
>>
>> Or are you for some wanting wanting to perform a layer 3 function on
>> layer 2? If so, can I ask why?
>
> Ok, I think your right here.
>
>>
>>> I want to be sure that each local IP address always has 1024 NAT
>>> sessions available and that sessions is kept even if the timeout is
>>> reached. If 1024 sessions is reached and a new session is being
>>> established then it will take over the oldest (timed out) session.
>>
>> I'm not sure that you will be able to specify how many NAT sessions each
>> system will have and / or how to control the expiration there of. I do
>> know that you will have (or did have to in previous kernels) to have a
>> fair amount of RAM for the connection tracking table to not wrap on a
>> network of that size.
>>
>>> Is this possible with iptables?
>>
>> The first part of what you want to do (layer 2 or layer 3) NATing, yes.
>>
>> As far as controlling how many sessions are reserved / maintained even
>> beyond timeouts, I don't know. I'm betting not, especially to the latter.
>>
>
> I guess the question was more about controlling the number of NAT
> sessions pr. lokal IP address?

If you give iptables a range, it will try to do as little port mangeling as
possible, so I beilieve it will try to hold onto connections as long as
possible. We saw quite a performance when we moved our 100 users from one
Natted address to 64. I guess the mangeling made that much of a difference.

Robert LeBlanc
BioAg Computer Support
Brigham Young University
leblanc@byu.edu
(801)422-1882