A Challenge: True NAT on a Linux Box (How?)

A Challenge: True NAT on a Linux Box (How?)

Post by Jan » Fri, 10 Nov 2000 04:00:00


I have been recently banging my head in the wall with this problem.  I
have a internal network (192.168.1.X) and four external IP addresses
(X.Y.Z.A-X.Y.Z.D).  Inside my internal network, I would like three of
the machines to have full external access, but still be behind the
firewall AND maintain 192.168.1.X ip numbers (Not a simple Proxy ARP
case).  Ip port forwarding is not an option either. What I do want to do
is have my firewall (Linux RH 6.2) perform true 1:1 NAT for the 3 server
ip addresses which are behind the firewall (the 4th is assigned to the
firewall).  So far, from rtfm'ing I've gotten this far (I'm using the
2.2.17 stock kernel, and the cmds: arp, route, ip).

All of these commands are at the Firewall:

1st I need to set up a Proxy ARP entry to respond to another external IP
/sbin/arp -i eth0 -Ds X.Y.Z.A eth0 pub
(where eth0 is my external net device, and X.Y.Z.A is an external IP
address assigned to me from my ISP)
NOTE:  I attempted also IP Aliasing to respond to the extra IP num- but
the nat entries complained when I tried to do that about a "used" ip #

Then I add the route for this Proxy ARP entry:
/sbin/route add -host X.Y.Z.A eth1
(where eth1 is my internal net device)

Then I set up the NAT rules pertaining to this connection:
./ip route add nat X.Y.Z.A via
./ip rule add prio 320 from nat X.Y.Z.A
NOTE: The ip command is part of the iproute2 package by Alex Kuznetyo
(where is my internal server's ip number)

From Alex Kuznetyo (sp?) Docs, this looks to be correct, (the prio 320
is supposed to make the kernel change the address before it forwards)
In addition to this, I have a heavily fortified set of ipchains, and
port forwarding rules, though turning these on/off makes no difference.
Also, I use the stock RH 6.2 scripts to configure networking for me on
boot up- though I don't know what difference this could make.

If anyone has any idea what I am doing wrong, I'd really appreciate it-
Or if anyone has alternate methods of performing TRUE NAT, that would be
great.  So far I've looked into "IP Filter" - a */BSD product which only
compiles for linux 2.0.* kernels, ipnatadm - no success, though maybe I
didn't understand it..., and have attempted to download the Wensong
package, but all the websites I've found point me to a
proxy.iinchina.net url which is not valid.

As you can tell, I've really tried to do this myself, and have had
little/no success yet.  This is a large enough topic IMHO that it should
deserve a mini-HOWTO at the least- a response may lead to that from


Jan Grzymala-Busse

Sent via Deja.com http://www.deja.com/
Before you buy.