[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setup of Internal Network with Many Real IPs

Lucas J Barbuto wrote:

Hello All,

I'm hoping to get some advice on a LAN setup for my office.  Currently I
have a nice easy configuration:

                          [ Internet ]
                          [ Firewall ]
                            [ LAN ]

I use Iptables on Woody for the firewall and NAT.

In the next month or so, we a are switching providers for a faster,
cheaper connection.  We are also getting a range of twelve IP addresses
for our own use.  To make things tricky, a new group are entering the
office space and they would like to share our connection and take two of
our IPs that we will charge them for.

So, the new setup will look like this:

                          [ Internet ]
                               |,,   <--A
                          [ Firewall ]
                              / \
                /------------'   `-----------\
                |                            |
                |    ,  <--B
             [ LAN ]

I want all the traffic to be NAT'ed to my
network, but all the and 235 traffic to pass straight
through to a couple of machines that this new group will bring in
without being NAT'ed.

I can see how this will work on the external interface of my firewall,
just by aliasing several IPs to the interface, but internally I don't
know where to start... is it possible just to route all
and 235 traffic through to specific machines?  Will I need to install
more network cards?  What IP addresses do I assign to my internal
interfaces?  What addresses should be assiged to the machines receiving
the traffic for and 235?  What (if anything) do I need to
tell Iptables about this?
Firewalling depends on routing (if youre not using the bridging function in the kernel, but that is not commonly used). If you don't want to get yourself a lot of trouble you will need to either to assign a private subnet, for example to the "B" above and use iptables to NAT all traffic that hits .236 and .237 in "A" to selected machines in this network OR ask your ISP for another subnet with official addresses and make them route this subnet to .235. In this case you can skip .236 and .237

In both cases you will need one more network card for the subnet "B". It will probably work with extra adresses on the same card but I'm a friend of more physical separation in case of system compromises.

This is just theory, I don't know the exact iptables syntax for this but you will probably get a better answer in a couple of hours.
Hopes it helps you to sort things out a bit.

Best regards

Martin Burman, Sweden

Reply to: