You�re absolutely right about the "/32" typo: it should be "/24". (I was
stupidly thinking 8x3=32).
As for Ramin�s suggestion to
> 1) DNAT the NEW packets coming in from your ISP in PREROUTING.
> 2) SNAT the NEW packets going out from your LAN in POSTROUTING.
I had already (and unsuccesfully) tried
# iptables -t nat -I PREROUTING -d 168.243.206.8/29 -j DNAT --to 192.168.1.1
My understanding was that this was a bi-directional NAT: packets going out from
192.168.1.1 would automagically be SNATed. Maybe it isn�t so. Is there a way to
make 192.168.1.1 virtually (and bidirectionally) appear to act as the entire
168.243.206.8/29 block?
As for Ramin�s second suggestion ("Another way of doing this is to implement the
/29 on your LAN side and bypass the NAT which gives you much more ability for
all the protocols."), that would mean aliasing the /29 addresses on the
192.168.1.0 side, right?
Oscar
----- Original Message -----
From: "Ramin Alidousti" <[EMAIL PROTECTED]>
To: "Oscar Valdez" <[EMAIL PROTECTED]>
Cc: "Jason Pappas" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, April 12, 2002 12:25 PM
Subject: Re: Redirecting packets
On Fri, Apr 12, 2002 at 12:09:23PM -0600, Oscar Valdez wrote:
> Thank you for your responses and for your drawing, Philipp.
>
> This is the current setup:
>
> Internet
> |
> |
> 63.101.129.70 (public IP - controlled by isp)
> 10.0.40.1/21 (ISP owned; NAT)
> |
> |
> 10.0.40.30/21 (ISP owned; NAT)
> 192.168.1.1/32 NAT
> |
> |
> 192.168.1.0/32 LAN
What do you mean by "192.168.1.0/32 LAN". Hope it's a typo
otherwise read the Networking Mini-HowTo first.
>
> As for my block of public ip addresses (it?s block 168.243.206.8/29, BTW),
they
> are being routed by the ISP over to my 10.0.40.30 address. If you traceroute
to
> 168.243.206.9 (one of my addresses), you?ll see packets reaching
63.101.129.70,
> which is the ISP?s NATting box, or router. The ISP has added routes for my
> address block, routing them over to address 10.0.40.30 (my external
interface).
>
> What I?d like to do is to redirect packets received at 10.0.40.30 and
addressed
> to the 168.243.206.8/29 block to one of my private addresses.
OK. It seems reasonable. What you do is:
1) DNAT the NEW packets coming in from your ISP in PREROUTING.
2) SNAT the NEW packets going out from your LAN in POSTROUTING.
Actually, I believe that you don't have to use those IP's on any
interface as long as the NAT is done properly on your gateway.
However, you might need some helpers for certain protocols, like
irc and ftp and for some protocols like AH you might end up with
no solution. But I don't believe you have a problem with that as
your current access is an ISP-NAT access anyway.
Another way of doing this is to implement the /29 on your LAN side and
bypass the NAT which gives you much more ability for all the protocols.
For further instruction as to HowTo [SD]NAT see the documentations.
Ramin
>
> I hope this clarifies my original post.
>
> And thanks for your interest.
>
> Oscar
