Greetings everyone,

I have just recently entered the world of Linux(1week ago) and I'm still familiarizing myself to the environment. Unfortunately, time is not on my side as I have to configure a Linux router for a customer. I'm hoping you folks can help me with my dilema. Here's the scenario:

I've got a Mandrake machine w/ 2 NIC's(eth0 external eth1 internal). I need to run dynamic NAT for most hosts on the private network(masquerading?). However, some hosts require a public address(they have a class C subnet available). It was quite easy to do in the router that it's replacing, simply assign a public IP to the private IP address of the host. This would take precedence over dynamic NAT. Anyway, since I'm new to Linux, I believe through my reading(s) that I can do this w/ iptables, correct? And if so, how? Would I have to alias public IP's on eth0(IP ADDR ADD xxx.xxx.xxx.xxx eth0) then map the private IP to that(SNAT?). Not sure of the syntax though. Any help would be greatly appreciated. TIA folks! Looking forward to learning Linux here. Take care.

IPtables rules are sequential. You load the rules in a specific order.


You can set certain source ips in your lan to -j SNAT (to assigned outside ip) and at the end of your -t nat PREROUTING table you could put in a generic SNAT to default ip.


Ensure that your FORWARD table has rules to forward packets to the boxes inside that have been SNATted to specific ips.

check the iptables tutorials to make sure I'm not utterly asleep here.. http://www.netfilter.org/documentation/tutorials/blueflux/t

Lorithar,

Thanks for the reply. I think I get what you mean. I guess I don't need IP aliasing then, right? I'll check it out. All this iptables stuff seems somewhat...different to me. I'm quite familiar to routing(Nortel and Cisco), but this is what I have to work with. Just a learning curve I guess. I am looking forward to it though. Thanks again. :)

Got it working. Seems to work quite well too! Although it appears as if one must use IP aliasing on the "public" interface for it to work properly. Once I aliased a few public IP's on the machine, everything started working flawlessly. :)