[Novalug] multihomed linux router with public ip addresses

Miguel González Castaños miguel_3_gonzalez@yahoo.es
Tue Apr 27 06:33:15 EDT 2010


On 27/04/2010 05:04, Bryan J. Smith wrote:
> There are many different types of Network Address Translation (NAT).
>
> The most direct is 1:1, meaning one IP is translated into another.
> This can include a node appearing to have a public IP on one network
> and a private IP on another network.  It can also be used to tie
> private-to-private, where the networks conflict.  E.g., when two
> corporations merge that both use 10/8, or partners need the same.
>
> The others are many:1 and 1:many, either destination NAT (DNAT) or
> source NAT (SNAT).  Both DNAT and SNAT aren't pure NAT.  They are
> using what's know as NAT+PAT, port address translation.  So instead
> of just translating addresses, 1:1, it's remapping ports so one IP
> address can serve as many IP addresses, by remapping ports.  For
> the most part, NAT+PAT isn't written, just NAT.  But it's important
> to understand that, technically, it's NAT+PAT that makes SNAT or DNAT
> possible.
>
> You're already used to SNAT, many:1, many private IPs into one public
> IP.  Masquerading is a type of SNAT (actually, there are actually many
> variations and approaches, but that's a whole chapter).  But one can
> go the other way, 1:many, with one private IP serving many public IPs.
> Which brings us to your DMZ.
>
> There are two options for DMZs.  One is to use 1:1 NAT, the other is
> to use DNAT.
>
> Your tutor has already hinted you want to use 1:1 NAT.  The key
> is that your instructor has stated you have multiple, public IPs.  As
> such, a second, public IP could be used in 1:1 NAT, to any private IP
> you wish to assign, in your DMZ.  This is separate from your first,
> public IP, which you will continue to use with SNAT for the LAN.
>
> In reality, going one step further, you actually don't need to use
> NAT.  You can just put the system on the Internet, using that second,
> public IP.  But most of the time, people build a DMZ so they can filter
> what ports hit the server.  So 1:1 NAT is popular for this reason,
> among others.  The system is in a DMZ, with a dedicated private IP
> subnet that can not only be hit via a public IP from the Internet, but
> addressed and routed to its private IP from the LAN as well -- with the
> security appliance controlling what ports and services (possibly
> application-level filtering) can hit it from either.
>
> DNAT adds the option of servicing different ports to specific private
> IPs in your DMZ -- in the case you have only a limited number of public
> IPs, or even just one.  The DMZ itself can have multiple, private IPs,
> a whole subnet, serving different ports on different servers.  Port-
> level load balancing can also be achieved by the security appliance
> distributing port services to different DMZ servers, assuming the
> service is a simple, often stateless, one, like static HTTP content.
>
> But in this case, it sounds like your tutor has already hinted that
> it is either 1:1 NAT into your DMZ, or possibly no DMZ at all.
>    
So in a 1:1 NAT how would i configure my router interfaces?

eth1 would be a private network and then servers in the DMZ would have 
two IPs (public and private)?

If so, then eth2 should have also aliases for all the public IP 
addresses in the DMZ and forward to the proper servers?

Thanks for your clarifications, they have been very insightful and helpful

Miguel



More information about the Novalug mailing list