Quoting John Reese <jwreese0 at comcast.net>: > I work for a company that has nearly exhausted its Class C range of IP > addresses. We decided to get by the problem by using a single Linux > router running iptables to route the exhausted 192.168.1.0 network > (eth0) to three LANs with numbers 192.168.101.0, 192.168.102.0, and > 192.168.103.0 (eth1, eth2, and eth3). Our goal is to have clients inside > those networks see a single server in the old 192.168.1.0 network. > > Since the new LANs are inside the production network (192.168.1.0), they > face a trusted network and don't need to filter or firewall transactions > across the router. The clients only need to see the server, and the > server needs to see inside the new LANs in order to print to their > printers. > > At first I thought the simplest solution would be the best, so I decided > to use a NAT table. I set up a script to do all the requisites, such as > flush all the chains, start the ip_forward process in the /proc file > system, modprobe for relevent modules, etc. Then I added one line to set > up the NAT table: > > /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o > eth0 -j SNAT --to-source 192.168.1.xxx > > Where xxx is the 192.168.1.0 number of the eth0 NIC. > > Of course, all the clients in the new LANs can see the server, but now > the server can't see printers or anything else inside the new LANs. > > If NAT is the answer at all, it would seem that I should use DNAT and > the PREROUTING chain to send packets from the server down to the new > LANs, but the matter is more complicated because I am routing to three > interfaces (eth1, eth2, and eth3) rather than firewalling a single > interface. So here is my question for you, dear reader: > > 1. How do I write a DNAT PREROUTING statement to accommodate all three > interfaces, and/or: > > 2. Is NAT the solution? Or should I be using a filter table instead of a > NAT table to accomplish this goal? > > Any help much appreciated. > > John Reese > If I understand correctly you have a LAN that you have numbered using numbers in the 192.168.1.0/255.255.255.0 range. You're needs are expanding beyond 255 addresses so you are going to segment your network and have some folks live on 192.168.2.0/255.255.255.0 and some live on 192.168.3.0/255.255.255.0. Am I correct so far? If I understand correctly, then there is no need for NAT between your 192.168 networks. There should not even be a need to enter routes into your Linux box because all of the nets will be connected to that box, so it should figure them out. You will just want to make sure that you've got IP forwarding turned on, which it sounds like you do. Just make sure iptables is allowing the forwarding as well. If your firewall/router has an interface which speaks to the internet, then you will need to nat the 192.168 stuff going to the 'net. Thanks, Josh _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list