/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Julian Eduardo de Anquin <[EMAIL PROTECTED]> wrote:
>
> On eth1 I have assigned the Public IP. I need some computers on my
> Private Lan to have Public IP too.
One solution is to put them on the same LAN together with the firewall,
but of course then they have no firewall protection. You probably do
not want that.
> I thought I could use port forwarding. Can I assign to ETH1 (my
> public interface) more than one IP?
Yes, you can. What you want to set up is called many-to-one NAT.
Iptables is definitely capable of doing it.
To set up extra IP's, configure an interface eth1:0, eth1:1, eth1:2.
These are "virtual" interfaces, that all use the "physical" eth1
interface for communications.
I believe that at the iptables level, it does not see these virtual
interfaces. That is, all packets will still appear to come through
physical interface eth1. So, write your rules accordingly.
However, in your nat rules, you can specify that the NAT should be
performed based on the incoming destination IP:
iptables -t nat -A POSTROUTING -d x.y.z.1 -j DNAT --to a.b.c.4
iptables -t nat -A POSTROUTING -d x.y.z.2 -j DNAT --to a.b.c.5
iptables -t nat -A POSTROUTING -d x.y.z.3 -j DNAT --to a.b.c.6
Incoming connections directed to public virtual IP x.y.z.1 on the
firewall's eth1 will be re-destined to internal IP a.b.c.4.
This means that your machines behind the firewall are not really
configured with public IP's. Instead you configure them with a private
IP, and direct the firewall to NAT the public IP to the corresponding
private IP.
Note that sending ALL traffic to the internal machine means it has no
firewall protection, so you must combine this with a FORWARD chain that
contains rules to allow incoming traffic on specific ports (services),
and disallows the rest.
Your previous rules like so:
iptables -A FORWARD -i $INT_IF -o $EXT_IF -j ACCEPT
iptables -A FORWARD -i $EXT_IF -o $INT_IF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
This will not allow any incoming services, so it is a fairly strong
firewall. To allow other services you'll want to add those
specifically, such as:
iptables -A FORWARD -i $EXT_IF -d a.b.c.4 --dport 25 -j ACCEPT
Note that you use the NAT'd IP here, since the nat is accomplished
before the forwarding.
Have fun. :)
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Good judgment comes from experience.
sometimes known as David DeSimone || Experience comes from bad judgment."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
