[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


>>>>> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:
>>>>> Ivan Shmakov a écrit :


 > Another example is when an interface gets a dynamic address and you
 > want to create a DNAT rule that matches only on that address :

 > iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport <port> \
 >     -j DNAT --to <server>:<port>

 > You cannot do that with a static ruleset.

	I'm not quite sure I'd like to do it with NAT, either.  Not
	that there's a lot of choice in this particular case.

	Going slightly off-topic here, about half a year ago I had a
	problem which I initially solved with DNAT.  The problem was to
	assign all of the hosts connected to one ``physical'' network
	the IPs ``belonging'' to the other:

    Network #1  |  10.x.y.R   | Network #2
    10.x.y.z/23 +-- My host --+ any IP network possible here
    (Ethernet)  |             | (uml_switch)
	                      +-- Host #1, 10.x.y.Z+1
	                      +-- Host #1, 10.x.y.Z+2
	                      |   ...
	                      +-- Host #1, 10.x.y.Z+n

	... Subject to the following constraints:

	* no hosts connected to the network to the left on the figure do
	  know that 10.x.y.R is actually a router;

	* the range to be assigned, 10.x.y.Z+1 .. 10.x.y.Z+n, is not
	  that of any subnet.

	Somehow, I thought that DNAT will solve the problem the most
	straightforward way.  I was wrong, it was proxy_arp that made
	the day.  (Yes, one may use a bridge, too, but since it wasn't a
	requirement to allow for the traffic other than ARP and IP to
	pass through, I've decided to spare it.)

	Anyway, IPv4 seems to die slowly.  The Internet Service Provider
	I connect through from home, for example, offers a
	gray-IP-plus-NAT access, which is barely the /Internet/ access
	(should I call it ``WWW access'' instead? oh no, they have
	BitTorrent in their advertisements, too) I need (no transport
	level protocols other than TCP and UDP, thus, e. g., no PPTP,
	though I'm not sure whether it's a drawback, no chance of ever
	setting up a globally-accessible server or a SIP-based VoIP, no
	6to4, nor even Teredo without a relay, add to it that this
	particular NAT forgets about the connections after a few seconds
	of no activity, etc.)

	Fortunately, IPv6 has no NAT.

FSF associate member #7257

Reply to: