Solved

NAT ON LINUX

Posted on 1997-06-20
1
276 Views
Last Modified: 2009-07-29

At 17:17 29/05/97 +0100, you wrote:
>Jaime Morell Aced <jmorell@g-air-europa.es> writes:
>Manuel Cortés <mcortes@g-air-europa.es>
>> I want to know if your Linux distribution support Native Address Translation
>> where one address in the internal network is translated to another address
>> outside the firewall and works also in the opposite direction (connections
>> initialized from outside). I need this feature because connections can
>> initialize in both directions and we want to translate directions in a 1:1
>> basis.
>> If this is possible, I would like to know how can we do it (we like to see
>> an example in the Linux environment).
>
>You may be able to achieve this by dedicating an aliased address for
>each internal address to be translated and using masquerading in both
>directions; yeuch :-)
>

Many thanks for the information, but I think that it isn´t exactly what we
need. From http://sunsite.unc.edu/mdw/HOWTO/mini/IP-Masquerade, we can see
an example of IP masquerade from wich I want to explain you what we need:
An IP Masquerading Example

  typical example is given in the diagram below:-

      +----------+
      |          |  Ethernet
      | abox     |::::::
      |          |2    :192.168.1.x
      +----------+     :
                       :   +----------+   PPP(Frame Relay)       +----------+
      +----------+     :  1|  Linux   |   link                   | Target   |
      |          |     ::::| masq-gate|::::::::::::::::::::::::::|  Host
| 194.28.64.18    
      | bbox     |::::::   |          |                          |          |
      |          |3    :   +----------+                          +----------+
      +----------+     :
                       :
      +----------+     :
      |          |     :
      | cbox     |::::::
      |          |4
      +----------+

      <-Internal Network->

In this example, 3 IP address are masqueraded by the Linux box, so that from
the outside are hidden in one IP address (this is the same that the
FWXT_HIDE translation mode of the Solstice Firewall-1). This scenario works
fine when the connection begin from the internal network (the pachets sent
back are correctly routed to the origin by the port number), but I think
that it doesn´t work when the connection is originated fron the external
network. What we are looking for is a way for translate one internal IP
address to one external for every box that we need to connect to the
external network (in our case the external network isn´t the Internet, but
we need to use official addresses for that service), so that, 192.168.1.1
will be translated to 194.145.7.1, 192.168.1.2 to 194.145.7.1, etc, and when
the connection begin from 194.28.64.18 to 194.145.7.1, the linux box
translate the destination address to 192.168.1.1 (translate the source
address when the connection is opened from the internal network, and the
destination address when the connection is opened from the external ). We
can´t put official addresses directly to the boxes because that boxes need
to use another internal services, and it can be in severals subnets, so we
want that this boxes uses the official addresses only when they have to
connect beyond the Linux box or when they have to connect to the Internet
via another gateway/firewall. Can the IP Masquerade feature make this?

Thanks in advance//  Manuel Cortes
0
Comment
Question by:aireuropa
1 Comment
 
LVL 3

Accepted Solution

by:
sauron earned 200 total points
Comment Utility
IP Masquerading is not capable of dynamically allocating real IP addresses from a pool on an 'as needed' basis, which is what you seem to be asking. Masquerading simply conceals many machines behind a single externally visible IP address. As you not, connection from outside back to thr masqueraded machines, are, by and large, not possible. There are certain network services that have specific Masquerading support, to allow reverse connections to be made, such as readaudio, Cu-seeme, vdolive, etc, etc, but these are modules for specific network services.

The Ipautofw package may be of help to you - this allows UDP datagrams to be forwarded over the masquerading gateway, and I have heard it is possible to get online games working this way. It is apparently also possible to masqueraded the X protocol like this.

What you really want is an implementation of NAT for Linux. You can get NAT or PAT in a variety of Cisco routers, but as far as I know, there is currently no implementation for Linux.

The following message was posted to a Linux related newsgroup a few months ago:-

-------------
A possible addition to 2.1 is Network Address Translation (NAT, RFC1631). Linux already has masquerade code that lets a few machines access the world through a single IP address, NAT takes this one stage further.  It is really only useful for larger sites, is there anybody on this list who would be interested in NAT?  We (masq developers) are trying to work out if it is worth adding to Linux.
-----------------

Followups to this showed some interest, so it may be in the process of being added, though I would expect it to be at an early stage if they have actually started development. You might check out the 2.1.x kernel documentation to see if there is any news of support.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now