At 17:17 29/05/97 +0100, you wrote:
>Jaime Morell Aced <> writes:
>Manuel Cortés <>
>> I want to know if your Linux distribution support Native Address Translation
>> where one address in the internal network is translated to another address
>> outside the firewall and works also in the opposite direction (connections
>> initialized from outside). I need this feature because connections can
>> initialize in both directions and we want to translate directions in a 1:1
>> basis.
>> If this is possible, I would like to know how can we do it (we like to see
>> an example in the Linux environment).
>You may be able to achieve this by dedicating an aliased address for
>each internal address to be translated and using masquerading in both
>directions; yeuch :-)

Many thanks for the information, but I think that it isn´t exactly what we
need. From, we can see
an example of IP masquerade from wich I want to explain you what we need:
An IP Masquerading Example

  typical example is given in the diagram below:-

      |          |  Ethernet
      | abox     |::::::
      |          |2    :192.168.1.x
      +----------+     :
                       :   +----------+   PPP(Frame Relay)       +----------+
      +----------+     :  1|  Linux   |   link                   | Target   |
      |          |     ::::| masq-gate|::::::::::::::::::::::::::|  Host
      | bbox     |::::::   |          |                          |          |
      |          |3    :   +----------+                          +----------+
      +----------+     :
      +----------+     :
      |          |     :
      | cbox     |::::::
      |          |4

      <-Internal Network->

In this example, 3 IP address are masqueraded by the Linux box, so that from
the outside are hidden in one IP address (this is the same that the
FWXT_HIDE translation mode of the Solstice Firewall-1). This scenario works
fine when the connection begin from the internal network (the pachets sent
back are correctly routed to the origin by the port number), but I think
that it doesn´t work when the connection is originated fron the external
network. What we are looking for is a way for translate one internal IP
address to one external for every box that we need to connect to the
external network (in our case the external network isn´t the Internet, but
we need to use official addresses for that service), so that,
will be translated to, to, etc, and when
the connection begin from to, the linux box
translate the destination address to (translate the source
address when the connection is opened from the internal network, and the
destination address when the connection is opened from the external ). We
can´t put official addresses directly to the boxes because that boxes need
to use another internal services, and it can be in severals subnets, so we
want that this boxes uses the official addresses only when they have to
connect beyond the Linux box or when they have to connect to the Internet
via another gateway/firewall. Can the IP Masquerade feature make this?

Thanks in advance//  Manuel Cortes
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IP Masquerading is not capable of dynamically allocating real IP addresses from a pool on an 'as needed' basis, which is what you seem to be asking. Masquerading simply conceals many machines behind a single externally visible IP address. As you not, connection from outside back to thr masqueraded machines, are, by and large, not possible. There are certain network services that have specific Masquerading support, to allow reverse connections to be made, such as readaudio, Cu-seeme, vdolive, etc, etc, but these are modules for specific network services.

The Ipautofw package may be of help to you - this allows UDP datagrams to be forwarded over the masquerading gateway, and I have heard it is possible to get online games working this way. It is apparently also possible to masqueraded the X protocol like this.

What you really want is an implementation of NAT for Linux. You can get NAT or PAT in a variety of Cisco routers, but as far as I know, there is currently no implementation for Linux.

The following message was posted to a Linux related newsgroup a few months ago:-

A possible addition to 2.1 is Network Address Translation (NAT, RFC1631). Linux already has masquerade code that lets a few machines access the world through a single IP address, NAT takes this one stage further.  It is really only useful for larger sites, is there anybody on this list who would be interested in NAT?  We (masq developers) are trying to work out if it is worth adding to Linux.

Followups to this showed some interest, so it may be in the process of being added, though I would expect it to be at an early stage if they have actually started development. You might check out the 2.1.x kernel documentation to see if there is any news of support.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.