[svlug] Before I go trying this -- 2.4 iptables, two IP ranges NATted onto the same interface/address?

J C Lawrence claw at kanga.nu
Sun Nov 25 00:07:02 PST 2001

On Sat, 24 Nov 2001 22:08:53 -0800 
Rafael Skodlar <raffi at linwin.com> wrote:
> On Sat, Nov 24, 2001 at 12:10:30AM -0800, J C Lawrence wrote:

>> Just a quick check to see if there's a known reason this wouldn't
>> work:
>> I have a machine with three interfaces.  Two are "inside"
>> (different LANs), one is "outside".  I want to NAT both internal
>> interfaces, each of which has a private IP range, onto the single
>> external interface (which has a single IP).  I'd much rather not
>> stick an IP alias on the external interface and chew up my
>> routable addresses.

> I haven't seen many answers to this interesting question so here
> is my take on it. This setup is not different from a generic
> firewall with LAN and protected DMZ.

Its slightly different in that there's NAT/MASQ occurring from two
interfaces to a single interface/address.  That said, other off-list
checking and a couple responses on-list here have clearly stated
that this is not only possible, but will work quite nicely (and is
already being done by a few people).

> You will need to use external IPs for some services most
> likely. At least that's how I had to do it on Checkpoint firewall
> to separate mail server IP from other services, https and DNS for
> example. Not a problem on class C network.

I've a /29, so that's not much of an option.  I'm also not looking
to do multiple fixed port mappings for the same service, so I don't
have to worry about that.  What I will be doing is multiple mappings
of non-standard ports (eg SSH on port 4242, 4243, 4244, etc) to
various boxes behind the NAT, but that's a rather different deal.

J C Lawrence
---------(*)                Satan, oscillate my metallic sonatas.
claw at kanga.nu               He lived as a devil, eh?
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.

More information about the svlug mailing list