Out of the desire not to spend a fortune on another Cisco box, and to fulfill the need to do IP accounting, traffic shaping and (possibly) caching, we are putting together a Linux box. So far I have successfully configured iptables to do some pretty basic IP accounting (which is all we really need). One area that is stumping me is translating IOS NAT commands into iptables.
We have what appears to be a rather odd configuration. Our Cisco router is running as the border router between our upstream provider and our own /23 block of addresses. It is also configured to do NAT, though all NAT addresses are routed to three proprietary routers with a public IP address and then a private IP address. Here is our current NAT configuration on the Cisco router. interface Ethernet0 description This the outside ethernet connected to our upstream provider ip address yyy.yyy.yyy.yyy 255.255.255.252 ip access-group 101 out no ip directed-broadcast ip nat outside ! interface Ethernet1 ip address xxx.xxx.xxx.2 255.255.254.0 no ip directed-broadcast ip nat inside ! ip route 10.101.104.0 255.255.248.0 xxx.xxx.xxx.170 ip route 10.102.104.0 255.255.248.0 xxx.xxx.xxx.174 ip route 10.103.104.0 255.255.248.0 xxx.xxx.xxx.175 access-list 1 permit 10.101.104.0 0.0.7.255 access-list 1 permit 10.102.104.0 0.0.7.255 access-list 1 permit 10.103.104.0 0.0.7.255 yyy.yyy.yyy.yyy is the upstream provider's IP for our router. xxx.xxx.xxx addresses are our own public block of IP addresses. I hope there is a way to do this using iptables, since everything else in Linux has gone off like a charm. -- A. Clausen
