On Mon, 13 Jan 2003, Joel Baumert wrote: > You could have all of the computers with 192.* addresses > and have the Linux box using ipchains or iptables > translate any packet on the external address to an > internal address... i.e. > > 201.123.32.12 <-> 192.168.1.12 > 201.123.32.13 <-> 192.168.1.13 > 201.123.32.14 <-> 192.168.1.14 > 201.123.32.15 <-> 192.168.1.15 > 201.123.32.16 <-> NAT > ... > NAT <-> 192.168.0.2 > NAT <-> 192.168.0.3 > NAT <-> 192.168.0.4 > ... > > You can try out this script... It may even work :-). The > masquerading should be correct, but the ip mappings may not > be and I don't really have a good setup to try them. There > is probably someone better with iptables to give you a better > answer. They final script is probably more complicated, but > this might give you something to start with. > > You would configure everyone with a 255.255.0.0 netmask with > the Linux box with 201.123.32.16 and 192.168.0.1 for addresses.
The dnat idea is a good one (assuming you are running kernel 2.4), except that you DON'T WANT TO DO IT TO YOUR INTERNAL NETWORK. External servers should be put into a DMZ network. Data connectivity between internal network and DMZ should originate from the internal network only, to prevent a cracker from plowing through your network one system at a time. See http://linuxjournal.com/article.php?sid=4415, for example. > > Joel > > > # > # iptables. > # > > modprobe iptable_nat > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables -t nat -F POSTROUTING > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE > > iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.12 -j DNAT -to 192.168.1.12 > iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.13 -j DNAT -to 192.168.1.13 > iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.14 -j DNAT -to 192.168.1.14 > iptables -t nat -A PREROUTING -i eth0 -s 201.123.32.15 -j DNAT -to 192.168.1.15 > > > On Mon, Jan 13, 2003 at 03:31:59PM -0800, Ken Bloom wrote: > > I'm inventing some random numbers (they're not even valid IP > > addresses) to explain the problem better > > > > The following computers are connected via hub to the DSL modem: > > 201.123.321.12 > > 201.123.321.13 > > 201.123.321.14 > > 201.123.321.15 > > 201.123.321.16 (eth0) / 192.168.0.1 (eth1) > > 192.168.0.2 > > 192.168.0.3 > > > > What can be done so that the 201.123.321.* computers can see the > > 192.168.0.* computers? Bear in mind that these computers are not > > necessarily all Linux computers, but that we know > > 201.123.321.16/192.168.0.1 is a Linux computer. > > > > > > > ---ORIGINAL MESSAGE--- > > > From: Rod Roark <[EMAIL PROTECTED]> > > > Organization: Sunset Systems > > > To: [EMAIL PROTECTED] > > > Subject: Re: [vox-tech] bridging subnets > > > Date: Mon, 13 Jan 2003 06:53:57 -0800 > > > Reply-To: [EMAIL PROTECTED] > > > > > > I'm surely being dense, but I don't understand what you > > > mean. What are the subnets in question? > > > > > > Here's a thought that may or may not apply. Perhaps you > > > can put all the machines on a single LAN behind the Linux > > > firewall. Note that you can assign all 5 external IP's to > > > this Linux box and then port-forward (with iptables) to > > > other machines depending on the destination IP address > > > (and/or port number) of incoming packets. > > > > > > > _______________________________________________ > > vox-tech mailing list > > [EMAIL PROTECTED] > > http://lists.lugod.org/mailman/listinfo/vox-tech > _______________________________________________ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech > --------------------------------------------------------------------------- Jeff Newmiller The ..... ..... Go Live... DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/Batteries O.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --------------------------------------------------------------------------- _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech