---------- Original Message ---------------------------------- From: patrick conlin <[EMAIL PROTECTED]> Date: Fri, 24 May 2002 16:02:02 -0400
>on 5/24/02 14:51, [EMAIL PROTECTED] wrote: > >> interface Ethernet0 >> ip address yyy.yyy.yyy.yyy 255.255.255.252 > >> interface Ethernet1 >> ip address xxx.xxx.xxx.2 255.255.254.0 > >> ip route 10.101.104.0 255.255.248.0 xxx.xxx.xxx.170 >> ip route 10.102.104.0 255.255.248.0 xxx.xxx.xxx.174 >> ip route 10.103.104.0 255.255.248.0 xxx.xxx.xxx.175 >> access-list 1 permit 10.101.104.0 0.0.7.255 >> access-list 1 permit 10.102.104.0 0.0.7.255 >> access-list 1 permit 10.103.104.0 0.0.7.255 > >> yyy.yyy.yyy.yyy is the upstream provider's IP for our router. >> xxx.xxx.xxx addresses are our own public block of IP addresses. > >It looks like you've got the following setup (is this correct)? > >isp <-> cisco <-> prop router 01 (xxx.xxx.xxx.170) <-> 10.101.104.0 > <-> prop router 02 (xxx.xxx.xxx.174) <-> 10.102.104.0 > <-> prop router 03 (xxx.xxx.xxx.175) <-> 10.103.104.0 > >All hosts on 10.101.104.0 gets natted to xxx.xxx.xxx.170 >All hosts on 10.102.104.0 gets natted to xxx.xxx.xxx.174 >All hosts on 10.103.104.0 gets natted to xxx.xxx.xxx.175 That's the layout. > >If your linux box has 4 free pci slots, fill 'em up with nics. Then you can >eliminate the cisco box and the three routers. > >isp <-> eth0 <-> netfilter <-> eth1 <-> 10.101.104.0 > <-> eth2 <-> 10.102.104.0 > <-> eth3 <-> 10.103.104.0 > >Then it's just a matter of standard SNAT and DNAT based on interface. Well, in our case there is an added complexity. The proprietary wireless routers/transmitters are actually sitting on towers, and we are using wireless bridges to communicate between them and to provide the backhaul for the NATed hosts. > >Why the funky netmasks on the 3 internal networks? Do they have subnetworks >of their own? Partially because we expect to have a large number of hosts on each subnet, and due to various limitations, each of the three networks must be on a different subnet. As an endnote. With the help of one of your posters, Joe Patterson, I have come up what appears to be the perfect solution. I am using the 10.103.104.0/21 subnet as a testbed, since we don't have a tower installed yet, and the following line works just great! iptables -t nat -A POSTROUTING -o eth0 -s 10.103.104.0/21 -j MASQUERADE I have the FTP module loaded, and that works without a problem. Only two things are really left to figure out right now. We do have a couple of our public IP addresses mapped to NATed hosts via the "ip nat inside source static" and "ip nat outside source static" commands. I will have to have this functionality. The other thing I will need, though if I can't do it, I won't cry too many tears, is to give one of our machines on the public address side the ability to contact all the NAT hosts. -- A. Clausen
