Hi, Is there a way in Linux to do NAT with a pool of outside addresses such that each connection to the outside resource gets a different IP address?? I don''t want 1:1 NAT as I have some thousands of IP addresses on one side of the LARTC router that _may_ need to access a resource on the other side... The resource needs to see a different IP address for each active call, but these addresses can be reused after the call concludes.... Any clues?? TIA, Dave
Is that not multiple NETMAP entries in iptables. Are you using SIP/H323/MGCP On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote:> Hi, > > Is there a way in Linux to do NAT with a pool of outside addresses such > that each connection to the outside resource gets a different IP address?? > I don''t want 1:1 NAT as I have some thousands of IP addresses on one side > of the LARTC router that _may_ need to access a resource on the other > side... The resource needs to see a different IP address for each active > call, but these addresses can be reused after the call concludes.... > > Any clues?? > > TIA, > > Dave > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi Oscar, I am doing the existing routing (only!) with a pretty bare Ubuntu server install... i.e., no firewall and no iptables at this point.... Cisco (in at least some software) allows many:1 NAT with a pool of NAT addresses rather than a single address.... This way, every connection seems to come from a different post-NAT address (at least up to the number of addresses in the pool).... I am curious if Linux iproute2 supports this concept?? Dave ************************************************************************* On Thu, 10 Nov 2005, Oscar Mechanic wrote:> Is that not multiple NETMAP entries in iptables. Are you using > SIP/H323/MGCP > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > Hi, > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > that each connection to the outside resource gets a different IP address?? > > I don''t want 1:1 NAT as I have some thousands of IP addresses on one side > > of the LARTC router that _may_ need to access a resource on the other > > side... The resource needs to see a different IP address for each active > > call, but these addresses can be reused after the call concludes.... > > > > Any clues?? > > > > TIA, > > > > Dave > > _______________________________________________ > > LARTC mailing list > > LARTC@mailman.ds9a.nl > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
If I was thee I would install iptables. To my knowledge the nat implementation in ip is stateless so you could not use it for that but I stand to be corrected. You could do a nice implementation using nth or random on SNAT. So if it is a new connections using connstate then put it into nth off a SNAT target and conntrack will do the rest for you. Of coarse all of this is useless if you dont have iptables. But ubuntu/debian rpms are top class. You did not say what session proto you were using. Oh I just remembered something if you are using SIP then you will have to be able to catch the RTP channel and nat them the same. The SNAT target in iptables has a round robin feature but I think the above point will be a problem. On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote:> Hi Oscar, > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > install... i.e., no firewall and no iptables at this point.... Cisco (in > at least some software) allows many:1 NAT with a pool of NAT addresses > rather than a single address.... This way, every connection seems to come > from a different post-NAT address (at least up to the number of addresses > in the pool).... I am curious if Linux iproute2 supports this concept?? > > Dave > ************************************************************************* > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > Is that not multiple NETMAP entries in iptables. Are you using > > SIP/H323/MGCP > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > Hi, > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > that each connection to the outside resource gets a different IP address?? > > > I don''t want 1:1 NAT as I have some thousands of IP addresses on one side > > > of the LARTC router that _may_ need to access a resource on the other > > > side... The resource needs to see a different IP address for each active > > > call, but these addresses can be reused after the call concludes.... > > > > > > Any clues?? > > > > > > TIA, > > > > > > Dave > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@mailman.ds9a.nl > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >
Dont bother with books, (What have books ever done for us ?(Life of brian)) http://iptables-tutorial.frozentux.net/iptables-tutorial.html I also suggest you take a long look at http://asteriskathome.sourceforge.net/ So you need at least 40 calls going at anyone time. If you were using SIP this would come with the proxy hand off I see your problem. But I do not know if SNA uses seperate ports for session initiation and others for Transport. If it all uses 1 port then excellent standard round robin SNAT from iptables will do the trick. Happy days If you have multiple ports for a call setup then I believe you are going to need to use iptables recent in conjunction with snat. Basically to push the IP onto a stack then if the IP is in that stack SNAT all that traffic from that IP. You will need a stack (iptables recent will create them stacks) for each SNAT target. So you grab all the data from that IP not just the initial call set up layer. On Thu, 2005-11-10 at 10:53 -0600, David Sims wrote:> Hi, > > Any pointer to a good and current iptables book or howto?? I have > Matthew Marsh''s book on Policy Routing using Linux but the coverage of > iptables and netfilter are a bit limited there... I haven''t used the > filtering stuff since ipchains days and I am sure that there have been > many advances.... > > The application that I am trying to make work is an old time IBM SNA > gateway (Attachmate) that wants to assign LUs to IP addresses... So, when > I do many:1 NAT, the first connection works fine but after that nothing... > I just need to figure out a way of accomodating 40 users out of 2000 or > so... and I have to use NAT since there has to be an address > translation.... I was also thinking of setting up a pool of 40 or > 50 addresses in my private space (192.168.x.y) and then doing 1:1 NAT on > those... Then I would only need to figure out a way (DNS round robin?) of > giving each new user a different address.... > > Thanks for your response and advice. > > Dave > ************************************************************************* > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > If I was thee I would install iptables. To my knowledge the nat > > implementation in ip is stateless so you could not use it for that but I > > stand to be corrected. > > > > You could do a nice implementation using nth or random on SNAT. So if it > > is a new connections using connstate then put it into nth off a SNAT > > target and conntrack will do the rest for you. > > > > Of coarse all of this is useless if you dont have iptables. But > > ubuntu/debian rpms are top class. > > > > You did not say what session proto you were using. Oh I just remembered > > something if you are using SIP then you will have to be able to catch > > the RTP channel and nat them the same. > > > > The SNAT target in iptables has a round robin feature but I think the > > above point will be a problem. > > > > On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > > > Hi Oscar, > > > > > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > > > install... i.e., no firewall and no iptables at this point.... Cisco (in > > > at least some software) allows many:1 NAT with a pool of NAT addresses > > > rather than a single address.... This way, every connection seems to come > > > from a different post-NAT address (at least up to the number of addresses > > > in the pool).... I am curious if Linux iproute2 supports this concept?? > > > > > > Dave > > > ************************************************************************* > > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > Is that not multiple NETMAP entries in iptables. Are you using > > > > SIP/H323/MGCP > > > > > > > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > > > Hi, > > > > > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > > > that each connection to the outside resource gets a different IP address?? > > > > > I don''t want 1:1 NAT as I have some thousands of IP addresses on one side > > > > > of the LARTC router that _may_ need to access a resource on the other > > > > > side... The resource needs to see a different IP address for each active > > > > > call, but these addresses can be reused after the call concludes.... > > > > > > > > > > Any clues?? > > > > > > > > > > TIA, > > > > > > > > > > Dave > > > > > _______________________________________________ > > > > > LARTC mailing list > > > > > LARTC@mailman.ds9a.nl > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > >
I will leave the tweaking to yourself like putting in a match on connection to clear it out of the stack when the session link is closed hint look at --ctstate iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.1 -m recent --name subnet1 --set iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet2 --set .... .... iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 212.12.12.2 -m recent --name subnet41 --set Need some tweaks here aswell iptables -t nat -A POSTROUTING -m recent --name subnet1 --rcheck -j SNAT --to-source 212.12.12.1 iptables -t nat -A POSTROUTING -m recent --name subnet2 --rcheck -j SNAT --to-source 212.12.12.2 ..... .... iptables -t nat -A POSTROUTING -m recent --name subnet41 --rcheck -j SNAT --to-source 212.12.12.41 iptables -t nat -A POSTROUTING -p tcp --dport 5060 -m conntrack -- ctstate NEW -j SNAT --to-source 212.12.12.1-212.12.12.41 On Thu, 2005-11-10 at 17:28 +0000, Oscar Mechanic wrote:> Dont bother with books, (What have books ever done for us ?(Life of > brian)) > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > > I also suggest you take a long look at > > http://asteriskathome.sourceforge.net/ > > So you need at least 40 calls going at anyone time. If you were using > SIP this would come with the proxy hand off > > I see your problem. But I do not know if SNA uses seperate ports for > session initiation and others for Transport. > > If it all uses 1 port then excellent standard round robin SNAT from > iptables will do the trick. Happy days > > If you have multiple ports for a call setup then I believe you are going > to need to use iptables recent in conjunction with snat. Basically to > push the IP onto a stack then if the IP is in that stack SNAT all that > traffic from that IP. You will need a stack (iptables recent will create > them stacks) for each SNAT target. So you grab all the data from that IP > not just the initial call set up layer. > > On Thu, 2005-11-10 at 10:53 -0600, David Sims wrote: > > Hi, > > > > Any pointer to a good and current iptables book or howto?? I have > > Matthew Marsh''s book on Policy Routing using Linux but the coverage of > > iptables and netfilter are a bit limited there... I haven''t used the > > filtering stuff since ipchains days and I am sure that there have been > > many advances.... > > > > The application that I am trying to make work is an old time IBM SNA > > gateway (Attachmate) that wants to assign LUs to IP addresses... So, when > > I do many:1 NAT, the first connection works fine but after that nothing... > > I just need to figure out a way of accomodating 40 users out of 2000 or > > so... and I have to use NAT since there has to be an address > > translation.... I was also thinking of setting up a pool of 40 or > > 50 addresses in my private space (192.168.x.y) and then doing 1:1 NAT on > > those... Then I would only need to figure out a way (DNS round robin?) of > > giving each new user a different address.... > > > > Thanks for your response and advice. > > > > Dave > > ************************************************************************* > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > If I was thee I would install iptables. To my knowledge the nat > > > implementation in ip is stateless so you could not use it for that but I > > > stand to be corrected. > > > > > > You could do a nice implementation using nth or random on SNAT. So if it > > > is a new connections using connstate then put it into nth off a SNAT > > > target and conntrack will do the rest for you. > > > > > > Of coarse all of this is useless if you dont have iptables. But > > > ubuntu/debian rpms are top class. > > > > > > You did not say what session proto you were using. Oh I just remembered > > > something if you are using SIP then you will have to be able to catch > > > the RTP channel and nat them the same. > > > > > > The SNAT target in iptables has a round robin feature but I think the > > > above point will be a problem. > > > > > > On Thu, 2005-11-10 at 10:16 -0600, David Sims wrote: > > > > Hi Oscar, > > > > > > > > I am doing the existing routing (only!) with a pretty bare Ubuntu server > > > > install... i.e., no firewall and no iptables at this point.... Cisco (in > > > > at least some software) allows many:1 NAT with a pool of NAT addresses > > > > rather than a single address.... This way, every connection seems to come > > > > from a different post-NAT address (at least up to the number of addresses > > > > in the pool).... I am curious if Linux iproute2 supports this concept?? > > > > > > > > Dave > > > > ************************************************************************* > > > > On Thu, 10 Nov 2005, Oscar Mechanic wrote: > > > > > > > > > Is that not multiple NETMAP entries in iptables. Are you using > > > > > SIP/H323/MGCP > > > > > > > > > > > > > > > On Wed, 2005-11-09 at 09:02 -0600, David Sims wrote: > > > > > > Hi, > > > > > > > > > > > > Is there a way in Linux to do NAT with a pool of outside addresses such > > > > > > that each connection to the outside resource gets a different IP address?? > > > > > > I don''t want 1:1 NAT as I have some thousands of IP addresses on one side > > > > > > of the LARTC router that _may_ need to access a resource on the other > > > > > > side... The resource needs to see a different IP address for each active > > > > > > call, but these addresses can be reused after the call concludes.... > > > > > > > > > > > > Any clues?? > > > > > > > > > > > > TIA, > > > > > > > > > > > > Dave > > > > > > _______________________________________________ > > > > > > LARTC mailing list > > > > > > LARTC@mailman.ds9a.nl > > > > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > > > > > > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc