Yes. You can set this up in several ways within Shorewall. The following examples are from Tom Eastep's sample comfigurations files at: http://shorewall.net/myfiles.htm
You can use the Masq file to configure default IP Masqerading for an entire internal subnet(s). This means that any PCs connected to this/these subnets that aren't covered by static NAT or Proxy ARP will default to using this external IP address. Masq files usually cover blocks of internal addresses dynamically assigned by DHCP on a local internal network. So on Tom's network, any PC connecting to his 192.168.1.0/24 subnet will appear to the internet as 206.124.146.176 UNLESS they're covered in one of the following two files. In Tom's configuration, the Masq file specifically covers his Wife's PC (names tarry) and his laptop (esteplaptop) when it's connected to the internal network around his house. #INTERFACE SUBNET ADDRESS eth0 192.168.1.0/24 206.124.146.176 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE The NAT file. This file allows a one for one mapping between an internal IP address (either statically assigned or dynamically assigned by DCHP to a specific MAC address) and a specific external IP address. Tom's network has two of these mappings assigned. These entries map Tom's GNU/Linus system (wookie) which has an internal IP address of 192.168.1.3 to the external IP address of 206.124.146.179, and his Windows XP system (ursa) which has an internal address of 192.168.1.5 to the external IP address of 206.124.146.178. #EXTERNAL INTERFACE INTERNAL ALL LOCAL 206.124.146.178 eth0 192.168.1.5 No No 206.124.146.179 eth0 192.168.1.3 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE Finally, there's the Proxy ARP file. This file allows you to use a single External IP address on a machine that sits behind your firewall. This would generally be used (as Tom does) for a machine in a DMZ which is serving email or web pages to the public. Proxy ARP is more efficent to route than using NAT. Basically to implement Proxy ARP you configure a separate network card on your LEAF box, assign an internal network to that NIC (doesn't matter what the internal network # is, just use something private that doesn't conflict with your other internal networks (tom chose 192.168.2.0/24 and bound 192.168.2.1 to the nic for his server, and 192.168.3.0/24 with 192.168.3.1 for his wired laptop), then you plug your machine you wish to Proxy ARP into that adapter and configure your IP parameters like you were sitting on the external network (in tom's case his ISP assigned him an address range which covers 8 addresses, a /29 or 255.255.255.248 netmask, so his server is configured as 206.124.146.177/29 with a netmask of 255.255.255.248 and a broadcast address of 206.124.146.175 and a default gateway of 206.124.146.181 [I think] but even tho it's configured like it was directly connected to the DSL Modem, it is PHYSICALLY connected to his eth1 card which has the 192.168.2.1 address, the eth1 card and the server look like they're on different subnets, but you tell shorewall to use eth0 to act as a proxy for ARP requests creating a link for IP Address 206.124.146.177 on eth1 and eth0 so requests for that IP Address received on eth0 are automatically redirected to eth1). <whew> The same work for eth3 and his laptop when he uses the wired connection. His laptop gets 206.124.146.180/27 with netmask 255.255.255.248 etc and the shorewall box is instructed to forward any requests for that IP address to the eth3 NIC. #ADDRESS INTERFACE EXTERNAL HAVEROUTE 206.124.146.177 eth1 eth0 No 206.124.146.180 eth3 eth0 No #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I hope this helps you understand how to configure things a little bit better. Michael >>> "Robert Sealock" <[EMAIL PROTECTED]> 09/04/02 03:56PM >>> Is it possible to have multiple external IP on a single NIC, in a BERING RC3 firewall. I have been searching around and the best is an old reference: eth0_IP_EXTRA_ADDRESS="x.x.x.x/xx" And I am slightly confused with the shorewall configuration example where three NICs are used. thanks. rs ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
