On Fri, 19 Oct 2001 nfudd@xxxxxxxxxxxx wrote:
> On Fri, 19 Oct 2001, Matthew G. Marsh wrote:
>
> > Do not use coloned interfaces. Deprecated. Should be removed already.
> > Instead use:
> >
> > ip addr add ${IP3}/32 dev eth0
> >
> > Then arp will work correctly and so will the following NAT.
>
> Thank you! I still worry about having an interface with $IP3's number
> on the firewall.
Yes - that is one of the reasons to be careful in what is allowed to that
address using NetFilter.
> > > iptables -A PREROUTING -t nat -d $IP3 -j DNAT --to 10.10.10.191
> > > iptables -A POSTROUTING -t nat -s 10.10.10.191 -j SNAT --to-source $IP3
> > >
> > > This is the only way I can see of getting arp replies to be sent, and
> > > it looks evil.
> >
> > Must be so. You are _not_ doing proxy arp. Proxy arp would be if you
> > actually had one of the customers machines assigned the 2.2.2.3 address
> > for real.
>
> 'arp -s' doesn't seem to do anything useful anymore, does it?
>
> > > In short, is this a bug? Or am I doing something wrong?
> >
> > Not a bug. ;-} Definitions are exact. Proxy arp is for a machine that
> > exists and has address assigned. 1-2-1 NAT is for case you are doing.
>
> Where can I find more information on one-to-one NAT?
Actually 1-2-1 NAT is merely shorthand to distinguish which NAT I was
talking about. NAT essentially comes in two flavours:
1-2-1 is where one ip address is uniquely mapped onto another ip address
Many-2-1 is where multiple ip addresses are mapped onto one ip address
(covers both 1-2-Many and Many-2-1 mappings)
1-2-1 is traditionally thought of as a "routed NAT" where a router
performs the unique change of addresses.
Many-2-1 is what is thought of as "IP Masquerade"
Both functions are available with the same NetFilter commands.
Additionally 1-2-1 NAT is done by the FastNAT structures that are part of
the RPDB within Linux kernels. However NetFilter conntrack is not
compatible with FastNAT and thus if you use NetFilter conntrack then you
cannot use FastNAT. For your case you would be better off using NetFilter
NAT with conntrack in order to also apply control to the clients passthru.
You an use FastNAT with NetFilter filters (as weirdos such as myself are
wont to do... ;-} ), but for standard NetFilter usage such as you need, it
is far easier (and you can ask people on this list for help) to use the
NetFilter 1-2-1 setup. I do think that someone also posted a patch that
allows you to do 1-2-1 NAT over a range correctly.
> --
> Charles Howes -- chowes@xxxxxxxx
> "The personal computer allows you to make more mistakes faster than
> any other invention in human history, with the possible exceptions of
> handguns and tequila."
> (It's the mistakes made with handguns, computers *and* tequila that
> are really spectacular!)
ROFL! (having seen and/or participated in such mistakes...)
--------------------------------------------------
Matthew G. Marsh, President
Paktronix Systems LLC
1506 North 59th Street
Omaha NE 68104
Phone: (402) 932-7250 x101
Email: mgm@xxxxxxxxxxxxx
WWW: http://www.paktronix.com
--------------------------------------------------
|