I think Florian is direct to list. I don't think he uses Ken's newsgroup server.
Anyhow, NAT'ing seems like your best bet. One major advantage to implementing this just once, is that each time you switch ISPs, and thus your addresses change, it is MUCH eaiser to migrate. There are quite a few different implementations of NAT, as others pointed out. If you're not into editing .conf files with VI in order to firewall, I'd suggest SmoothWall. It'll probably do everything you need, including 1-to-1 external to internal NAT mappings, and it also has DMZ functionality, if you so desire to use that for your game servers. http://www.smoothwall.org I think what has you stumbling is how to setup 1-to-1 NAT mappings from external NIC ip addresses to the internal private IP addresses. I've not done it manually with Linux, but many popular Linux based and win32 based firewall products are capable of this. SmoothWall is one. Hell, I think you can even do this with W2K's NAT. In essence, you bind all of your public IPs that the ISP has given you to your public NIC. Thus, it will accept any traffic thrown at it from the world. You then create 1-to-1 NAT mappings from the public IPs to the private IPs of your game servers: 207.151.100.194 <--> 192.168.100.2 207.151.100.195 <--> 192.168.100.3 207.151.100.196 <--> 192.168.100.4 207.151.100.197 <--> 192.168.100.5 etc, etc. Make 192.168.100.1 the only address bound to the internal NIC of the firewall, and set this address as the default gateway on all the internal machines. Your firewall will not do any routing. It will strictly be doing address tranlation. This new ISP of yours has taken away your routing privelages, so to speak. StanTheMan TheHardwareFreak http://www.hardwarefreak.com rcon admin at: Beer for Breakfast servers <http://bfb.bogleg.org/> 209.41.98.2:27016 (CS multi-map) 209.41.98.2:27015 (DoD) 209.41.98.2:27017 (CS militia/dust2) Dallas, TX > -----Original Message----- > From: Khyron [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 13, 2002 3:59 AM > To: [EMAIL PROTECTED] > Subject: Re: [hlds_linux] OT: Routing securely > > > Hrm - Florians msg didn't show up in my mail - newsgroup only? > > Originally I had my linux box doing my routing/firewall - > because my ISP > gave me a proper 8 ip subnet (so first and last broadcast) > and then gave me > a single static for the external firewall nic. They also made > a routing > entry on their equipment that routed that 8 ip subnet to the single > non-subnetted ip. Thus I had the static on the outside, 1 of > the subnet ips > on the internal interface, then the other statics on the > internal machines, > using the internal fw eth as gateway. Set ipforwarding on, > and its done. > > The new ISP is doing it the old way, they don't issue > subnets, just random > single statics. My set includes x.194, 195, 196, 197, 208, > 209. x.193 is > their gateway. Subnet mask is .192 > > So if I have my ext eth card bound to say, 194 any requests > to 195, 196 etc > never even hit the interface because their router is arping > for 196 and > since it's internal it is never seen. And even if I get the ARP proxy > working to answer the requests, I'm stuck. > > The Nating idea doesn't seem to be able to do it > bi-directionally - at least > not that I can see. I can have the single nic answer for all > the IPs, but > having it send to 10.x and then have any returning traffic > reconverted into > the proper static is not easy. > > Seriously - how do you guys firewall your stuff if you have > more than 1 > static? Say you have 2 cstrike servers running on the same > port on different > machines - you can't NAT them both. You just have them live > outside the > firewall? I've been on this list for 2+ years and can't > recall seeing this > topic other than "what ports do I need to open". > > Right now my naked win2k machines and my cs server are > plugged right into a > hub which has the modem plugged as well. Works, but insecure as hell. > > Regards, > > Khyron > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, August 13, 2002 2:01 AM > Subject: RE: [hlds_linux] OT: Routing securely > > > > IIRC Florian, he didn't want to have to re-compile his > kernel. That must > be > > what you missed. > > > > StanTheMan > > TheHardwareFreak > > http://www.hardwarefreak.com > > rcon admin at: > > Beer for Breakfast servers <http://bfb.bogleg.org/> > > 209.41.98.2:27016 (CS multi-map) 209.41.98.2:27015 (DoD) > > 209.41.98.2:27017 (CS militia/dust2) Dallas, TX > > > > > > > -----Original Message----- > > > From: Florian Zschocke [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, August 13, 2002 2:23 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [hlds_linux] OT: Routing securely > > > > > > > > > Khyron wrote: > > > > > > > > Yah I could NAT with a 10.x or whatever, but avoiding NAT > > > is the reason I > > > > paid extra for the statics. I've been looking at Arp Proxy, > > > but any of those > > > > that I found on the net assumes you have a full subnet, as > > > opposed to my > > > > situation (several statics that are not all in sequence). > > > The only other > > > > thing I've found is a "bridge" but it's more of packet > > > > sniffer/blocker/shaper than a true firewall/gateway. > > > > > > Excuse me for asking a stupid question, but why was it that you > > > can't simply have the Linux box act as a routing firewall for > > > those 7 static IPs? I must have missed something. > > > > > > Florian. > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list > > > archives, please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the > list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
