0

I am trying to use twice nat along with dns_alg to support a framework, and take its measurements.

I have a private network 192.168.0.0/24

this network contains www,dns,dhcp etc for its own use.DNS,WWW are also used for global access. I have say eg. 6 public addresses that have been allocated to me.

192.168.0.0/24  | ----router/NAT  ||=--- 6ips-----isp-----bigger isp-----whatever.

I want to : -Allocate all those ip onto single router's outside nic , or alias them, but i have only 1 nic.

-Use natting, so that whenever the internal dns replies, the router should modify it to match a global address(runtime selection not static). Whenever the outside dns replies , the nat should again map the public address to one private address say 192.168.0.32, and then it should reach the client.

  • use source and dest natting, so that, the internal addresses never appear to communicate with the outside world, rather they seem to only communicate with their lan.

how should i proceed +

nikhilelite
  • 101
  • 2

1 Answers1

0

Problem 1: Multiple IP addresses on a NIC.

ip address add a.b.c.d1/mm brd + dev ${WAN_IFACE}
ip address add a.b.c.d2/mm brd + dev ${WAN_IFACE}
... and so on ...

a.b.c.d1, a.b.c.d2, and so on are the Public IP Addresses given to you, /mm is the subnet mask given to you.

Problem 2: Double NAT

iptables -t nat -A PREROUTING  -i ${WAN_IFACE} -p udp --dport 53 -j DNAT --to-destination ${internal_dns_ip}:53
iptables -A FORWARD -i ${WAN_IFACE} -o ${LAN_IFACE} -p udp --dport 53 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${LAN_IFACE} -p udp --dport 53 -j SNAT --to-source ${router_lan_ip}
( and optionally for -p tcp, too )

But why do you want to do that???

Edit: Providing NAT for a subnet within a larger network.

Based on the comments (see below) the answer to Problem 2 will not be suitable. Instead, a simple SNAT should suffice:

# Allow traffic from smaller LAN to bigger LAN
iptables -A FORWARD -i ${SMALLER_LAN_IFACE} -o ${BIGGER_LAN_IFACE} -j ACCEPT
# Allow established and related trafic bothways
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Perform Source NAT
iptables -t nat -A POSTROUTING -o ${BIGGER_LAN_IFACE} -j SNAT --to-source ${LOWER_IP}-${HIGHER_IP}

If you trust both the smaller LAN and bigger LAN, you can make do with a single FORWARD rule:

iptables -A FORWARD -j ACCEPT
pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • -I have 1 dns,1http server installed on 192.168.0.196/16 , 1 virtual network 192.168.250.0/24. The virtual network's router will have the config you mentioned above. The virtual network has a www and a dns server at lets say 250.30 and 250.50. The virtual network's router has an outside interface that will pool 30 ips from 192.168.0.0/16 network. Now ,suppose a host inside 192.168.250.0/24 network tries to access the website on 192.168.0.196/16 (using dns to translate name), its not working , and instead dig returns empty ans section and queries some a.*root servers... why ? – nikhilelite Mar 16 '11 at 17:42
  • refer here for an idea of the topology http://3.bp.blogspot.com/-TS74ZHti6Ko/TWfpNxIe5BI/AAAAAAAAANA/mbpN6PtI2ws/s1600/setup – nikhilelite Mar 16 '11 at 17:46
  • @nikhilelite well, in your case, the Linux router need not DNAT, but a SNAT would do. I'll edit my answer. – pepoluan Mar 17 '11 at 05:01