Linux IP Masquerade HOWTO
Prev Chapter 7. Frequently Asked Questions Next

7.32. ( MULTIPLE IPs - DMZ segments) - I have several EXTERNAL IP addresses that I want to PORTFW to several internal machines. How do I do this?

You DON'T do this with MASQ.

MASQ is a 1:Many NAT setup which is the incorrect tool to perform what you are looking for. You are looking for is either Many:Many NAT solution or a Briding setup.

NOTE: For users out there who are thinking about enabling multiple IP addresses on one internal NIC using "IP Alias" and then just PORTFWeding ALL of those ports (0-65535), and and finally use IPROUTE2 to maintain the proper source/destination IP pairs. This has been done SUCCESSFULLY on 2.0.x kernels and less successfully on 2.2.x kernels. Regardless of success, that isn't the proper way to do it, it's a total HACK, and it is not a supported MASQ configuration. Please, give IPTABLES on the 2.4.x kernels a serious look or to a much lesser extent, Section 7.30 IPROUTE2 look for 2.2.x kernels.

Anyway, for forwarding external IP address to internal hosts, you basically have three possibilites: 

  • 1. Route the external IPs 

   (This does NOT involve IPMASQ at all but requires special WAN addressing 
    and routing setup from your ISP):

    Internet -- Some public WAN -- Linux -- DMZ segment
                   IP address      Server     PUBLIC IPs
                                     |
                                     +------ Internal net
                                              private IPs
     

  • 2. 1:1 NAT 

   (Most easily done via IPTABLES or with IPCHAINS and IPROUTE2 but still 
    some protocols cannot deal with NAT)

    Internet -- Linux -- DMZ segment
                Server     Private IPs natted to 1:1 PUBLIC IPs
                   |
                   +------ Internal net
                            private IPs

  • 3. Bridging:  

   This is how most commercial firewalls do it as it's very slick.  Basically, 
   all public IPs transparently flow through the Linux server to the DMZ but 
   via firewall inspection.

    Internet -- Linux -- DMZ segment
                Server     PUBLIC IPs
                  |
                  +------ Internal net
                           private IPs

Though this howto doesn't cover items #1 and #2 yet, email me and I can give you a hand. For item #3, this isn't IPMASQ anymore and thus I can't help you. Fortunately, there are a few HOWTOs out there on the topic:

NOTE: If you have a bridged DSL or Cablemodem connection (not PPPoE), things are a little more difficult because your setup isn't routed. No worries though, check out the Bridge+Firewall Mini HOWTO and the Bridge+Firewall+DSL Mini HOWTO . These HOWTOs will teach you how to get your Linux box to support multiple IP addresses on a single interface!

Prev Home Next
( ACCOUNTING ) - I need to do accounting on who is using the network Up ( Netstat ) - I'm trying to use the NETSTAT command to show my Masqueraded connections but its not working