Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 307
  • Last Modified:


At 17:17 29/05/97 +0100, you wrote:
>Jaime Morell Aced <jmorell@g-air-europa.es> writes:
>Manuel Cortés <mcortes@g-air-europa.es>
>> I want to know if your Linux distribution support Native Address Translation
>> where one address in the internal network is translated to another address
>> outside the firewall and works also in the opposite direction (connections
>> initialized from outside). I need this feature because connections can
>> initialize in both directions and we want to translate directions in a 1:1
>> basis.
>> If this is possible, I would like to know how can we do it (we like to see
>> an example in the Linux environment).
>You may be able to achieve this by dedicating an aliased address for
>each internal address to be translated and using masquerading in both
>directions; yeuch :-)

Many thanks for the information, but I think that it isn´t exactly what we
need. From http://sunsite.unc.edu/mdw/HOWTO/mini/IP-Masquerade, we can see
an example of IP masquerade from wich I want to explain you what we need:
An IP Masquerading Example

  typical example is given in the diagram below:-

      |          |  Ethernet
      | abox     |::::::
      |          |2    :192.168.1.x
      +----------+     :
                       :   +----------+   PPP(Frame Relay)       +----------+
      +----------+     :  1|  Linux   |   link                   | Target   |
      |          |     ::::| masq-gate|::::::::::::::::::::::::::|  Host
      | bbox     |::::::   |          |                          |          |
      |          |3    :   +----------+                          +----------+
      +----------+     :
      +----------+     :
      |          |     :
      | cbox     |::::::
      |          |4

      <-Internal Network->

In this example, 3 IP address are masqueraded by the Linux box, so that from
the outside are hidden in one IP address (this is the same that the
FWXT_HIDE translation mode of the Solstice Firewall-1). This scenario works
fine when the connection begin from the internal network (the pachets sent
back are correctly routed to the origin by the port number), but I think
that it doesn´t work when the connection is originated fron the external
network. What we are looking for is a way for translate one internal IP
address to one external for every box that we need to connect to the
external network (in our case the external network isn´t the Internet, but
we need to use official addresses for that service), so that,
will be translated to, to, etc, and when
the connection begin from to, the linux box
translate the destination address to (translate the source
address when the connection is opened from the internal network, and the
destination address when the connection is opened from the external ). We
can´t put official addresses directly to the boxes because that boxes need
to use another internal services, and it can be in severals subnets, so we
want that this boxes uses the official addresses only when they have to
connect beyond the Linux box or when they have to connect to the Internet
via another gateway/firewall. Can the IP Masquerade feature make this?

Thanks in advance//  Manuel Cortes
1 Solution
IP Masquerading is not capable of dynamically allocating real IP addresses from a pool on an 'as needed' basis, which is what you seem to be asking. Masquerading simply conceals many machines behind a single externally visible IP address. As you not, connection from outside back to thr masqueraded machines, are, by and large, not possible. There are certain network services that have specific Masquerading support, to allow reverse connections to be made, such as readaudio, Cu-seeme, vdolive, etc, etc, but these are modules for specific network services.

The Ipautofw package may be of help to you - this allows UDP datagrams to be forwarded over the masquerading gateway, and I have heard it is possible to get online games working this way. It is apparently also possible to masqueraded the X protocol like this.

What you really want is an implementation of NAT for Linux. You can get NAT or PAT in a variety of Cisco routers, but as far as I know, there is currently no implementation for Linux.

The following message was posted to a Linux related newsgroup a few months ago:-

A possible addition to 2.1 is Network Address Translation (NAT, RFC1631). Linux already has masquerade code that lets a few machines access the world through a single IP address, NAT takes this one stage further.  It is really only useful for larger sites, is there anybody on this list who would be interested in NAT?  We (masq developers) are trying to work out if it is worth adding to Linux.

Followups to this showed some interest, so it may be in the process of being added, though I would expect it to be at an early stage if they have actually started development. You might check out the 2.1.x kernel documentation to see if there is any news of support.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now