[Novalug] multihomed linux router with public ip addresses
Bryan J. Smith
b.j.smith at ieee.org
Mon Apr 26 23:04:40 EDT 2010
There are many different types of Network Address Translation (NAT).
The most direct is 1:1, meaning one IP is translated into another.
This can include a node appearing to have a public IP on one network
and a private IP on another network. It can also be used to tie
private-to-private, where the networks conflict. E.g., when two
corporations merge that both use 10/8, or partners need the same.
The others are many:1 and 1:many, either destination NAT (DNAT) or
source NAT (SNAT). Both DNAT and SNAT aren't pure NAT. They are
using what's know as NAT+PAT, port address translation. So instead
of just translating addresses, 1:1, it's remapping ports so one IP
address can serve as many IP addresses, by remapping ports. For
the most part, NAT+PAT isn't written, just NAT. But it's important
to understand that, technically, it's NAT+PAT that makes SNAT or DNAT
You're already used to SNAT, many:1, many private IPs into one public
IP. Masquerading is a type of SNAT (actually, there are actually many
variations and approaches, but that's a whole chapter). But one can
go the other way, 1:many, with one private IP serving many public IPs.
Which brings us to your DMZ.
There are two options for DMZs. One is to use 1:1 NAT, the other is
to use DNAT.
Your tutor has already hinted you want to use 1:1 NAT. The key
is that your instructor has stated you have multiple, public IPs. As
such, a second, public IP could be used in 1:1 NAT, to any private IP
you wish to assign, in your DMZ. This is separate from your first,
public IP, which you will continue to use with SNAT for the LAN.
In reality, going one step further, you actually don't need to use
NAT. You can just put the system on the Internet, using that second,
public IP. But most of the time, people build a DMZ so they can filter
what ports hit the server. So 1:1 NAT is popular for this reason,
among others. The system is in a DMZ, with a dedicated private IP
subnet that can not only be hit via a public IP from the Internet, but
addressed and routed to its private IP from the LAN as well -- with the
security appliance controlling what ports and services (possibly
application-level filtering) can hit it from either.
DNAT adds the option of servicing different ports to specific private
IPs in your DMZ -- in the case you have only a limited number of public
IPs, or even just one. The DMZ itself can have multiple, private IPs,
a whole subnet, serving different ports on different servers. Port-
level load balancing can also be achieved by the security appliance
distributing port services to different DMZ servers, assuming the
service is a simple, often stateless, one, like static HTTP content.
But in this case, it sounds like your tutor has already hinted that
it is either 1:1 NAT into your DMZ, or possibly no DMZ at all.
----- Original Message ----
From: Miguel González Castaños <miguel_3_gonzalez at yahoo.es>
To: novalug at calypso.tux.org
Sent: Mon, April 26, 2010 7:20:58 PM
Subject: [Novalug] multihomed linux router with public ip addresses
I'm used to configure linux routers with NAT and only 1 public ip
address. For an assignment in a postgraduate program that I'm doing one
example is that we have to configure a firewall for.
Internet ----------------- Router --------------- Internal LAN
public ips (web, mail, etc)
So the router would have three interfaces:
eth2 - 18.104.22.168
eth0 - 10.30.1.1
eth1 - ?? Here it's where my question comes... My tutor says that is
possible to use one of the IP addresses of the public ips pool. However
that would mean that 2 interfaces of the same machine would have two
routes for the same network 22.214.171.124 would use eth2 and eth1. I have
tried to remove one of the two routes generated and I can't figure out how.
The practical assignment doesn't need to configure a real router and
just figure out how to configure the firewall, but I'm curious of how to
configure such router (I'm testing this in a virtual environment).
I hope my question is clear.
Novalug mailing list
Novalug at calypso.tux.org
More information about the Novalug