/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
> Um, I'm sure this is going to spark some controversy, and I've gone over
>this with David before and essentially the conclusion was - well, there
was >none.
Heheh..
Well, the crux of the issue is that if your MASQ Linux box is also running
services such as DNS, Sendmail, DHCP, Samba, NFS, etc.. you will
see weird problems. The issue is that all of the high return ports that should
be available for eth0 to respond to for low port requests will now be
redirected to 192.168.1.4 (in this example). Also, the redirection of ports
1024-65535 is known to do wreck havoc to the Linux IP stack. For some reason,
some people get away with it (Ashley!) while other users notice that MASQ stops
to work all together and even the entire IP stack can crash (requiring a full
reboot). Why
it works for some people and NOT others is beyond me. Either way, its an evil
thing to do and is never recommended by me or the kernel gurus.
Now, there isn't much of a reason why the eth0:1-x example for EXTERNAL
interfaces won't work though. The crux of this issue is that in the
HOWTO, the IPMASQing an -internal- ALIASED interface doesn't work. It
sure would be nice but it doesn't work in 2.0.x or 2.2.x kernels. Maybe
2.4.x will be another issue but I haven't tried it yet.
> eth0 111.222.333.444 -> 192.168.1.4
> eth0:0 111.222.333.555 -> 192.168.1.5
> eth0:1 111.222.333.666 -> 192.168.1.6
> eth0:2 111.222.333.777 -> 192.168.1.7
This whole situation will be changed forever once the 2.4.x kernels
become stable as IPTABLES supports both 1:Many (MASQ) and Many:Many
NAT configurations without any extra tools. Not only that but
IPTABLES is totally stateful and greatly increases a Linux server's
ability to be a strong firewall.
Mind you, this only applies for a fully routed environment. If you
are behind a BRIDGE (DSL modems and Cablemodems), you need to do
other tricks like running the Linux bridging code and do some
funky stuff. Please see an email from my earlier today for the
URLs on the LDP on how to do this.
--David
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
