Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win



Posted on 1997-06-20
Medium Priority
Last Modified: 2009-07-29

At 17:17 29/05/97 +0100, you wrote:
>Jaime Morell Aced <jmorell@g-air-europa.es> writes:
>Manuel Cortés <mcortes@g-air-europa.es>
>> I want to know if your Linux distribution support Native Address Translation
>> where one address in the internal network is translated to another address
>> outside the firewall and works also in the opposite direction (connections
>> initialized from outside). I need this feature because connections can
>> initialize in both directions and we want to translate directions in a 1:1
>> basis.
>> If this is possible, I would like to know how can we do it (we like to see
>> an example in the Linux environment).
>You may be able to achieve this by dedicating an aliased address for
>each internal address to be translated and using masquerading in both
>directions; yeuch :-)

Many thanks for the information, but I think that it isn´t exactly what we
need. From http://sunsite.unc.edu/mdw/HOWTO/mini/IP-Masquerade, we can see
an example of IP masquerade from wich I want to explain you what we need:
An IP Masquerading Example

  typical example is given in the diagram below:-

      |          |  Ethernet
      | abox     |::::::
      |          |2    :192.168.1.x
      +----------+     :
                       :   +----------+   PPP(Frame Relay)       +----------+
      +----------+     :  1|  Linux   |   link                   | Target   |
      |          |     ::::| masq-gate|::::::::::::::::::::::::::|  Host
      | bbox     |::::::   |          |                          |          |
      |          |3    :   +----------+                          +----------+
      +----------+     :
      +----------+     :
      |          |     :
      | cbox     |::::::
      |          |4

      <-Internal Network->

In this example, 3 IP address are masqueraded by the Linux box, so that from
the outside are hidden in one IP address (this is the same that the
FWXT_HIDE translation mode of the Solstice Firewall-1). This scenario works
fine when the connection begin from the internal network (the pachets sent
back are correctly routed to the origin by the port number), but I think
that it doesn´t work when the connection is originated fron the external
network. What we are looking for is a way for translate one internal IP
address to one external for every box that we need to connect to the
external network (in our case the external network isn´t the Internet, but
we need to use official addresses for that service), so that,
will be translated to, to, etc, and when
the connection begin from to, the linux box
translate the destination address to (translate the source
address when the connection is opened from the internal network, and the
destination address when the connection is opened from the external ). We
can´t put official addresses directly to the boxes because that boxes need
to use another internal services, and it can be in severals subnets, so we
want that this boxes uses the official addresses only when they have to
connect beyond the Linux box or when they have to connect to the Internet
via another gateway/firewall. Can the IP Masquerade feature make this?

Thanks in advance//  Manuel Cortes
Question by:aireuropa
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment

Accepted Solution

sauron earned 400 total points
ID: 1584969
IP Masquerading is not capable of dynamically allocating real IP addresses from a pool on an 'as needed' basis, which is what you seem to be asking. Masquerading simply conceals many machines behind a single externally visible IP address. As you not, connection from outside back to thr masqueraded machines, are, by and large, not possible. There are certain network services that have specific Masquerading support, to allow reverse connections to be made, such as readaudio, Cu-seeme, vdolive, etc, etc, but these are modules for specific network services.

The Ipautofw package may be of help to you - this allows UDP datagrams to be forwarded over the masquerading gateway, and I have heard it is possible to get online games working this way. It is apparently also possible to masqueraded the X protocol like this.

What you really want is an implementation of NAT for Linux. You can get NAT or PAT in a variety of Cisco routers, but as far as I know, there is currently no implementation for Linux.

The following message was posted to a Linux related newsgroup a few months ago:-

A possible addition to 2.1 is Network Address Translation (NAT, RFC1631). Linux already has masquerade code that lets a few machines access the world through a single IP address, NAT takes this one stage further.  It is really only useful for larger sites, is there anybody on this list who would be interested in NAT?  We (masq developers) are trying to work out if it is worth adding to Linux.

Followups to this showed some interest, so it may be in the process of being added, though I would expect it to be at an early stage if they have actually started development. You might check out the 2.1.x kernel documentation to see if there is any news of support.

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question