Hi
I'm going to setup a bridged NAT linux box for many users. I
want one
outside IP address to serve for instance 10.0.0.0/22.
I want to be sure that each local IP address always has 1024
NAT
sessions available and that sessions is kept even if the
timeout is
reached. If 1024 sessions is reached and a new session is
being
established then it will take over the oldest (timed out)
session.
Is this possible with iptables?
- Martin
Re: NAT
United States
2007-07-03 02:27:02
On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> I'm going to setup a bridged NAT linux box for many
users. I want one
> outside IP address to serve for instance 10.0.0.0/22.
Why do this with bridging? If you have a 10.0.0.0/22
network like you
say, it is private and thus not globally routable. So, to
reach the
internet you will have to NAT to a globally routable IP.
Thus you have
a private subnet and a public subnet which is an ideal
environment for a
layer 3 router. Even if you are not going to a public IP
but rather
another private IP, the same scenario holds true.
Or are you for some wanting wanting to perform a layer 3
function on
layer 2? If so, can I ask why?
> I want to be sure that each local IP address always has
1024 NAT
> sessions available and that sessions is kept even if
the timeout is
> reached. If 1024 sessions is reached and a new session
is being
> established then it will take over the oldest (timed
out) session.
I'm not sure that you will be able to specify how many NAT
sessions each
system will have and / or how to control the expiration
there of. I do
know that you will have (or did have to in previous kernels)
to have a
fair amount of RAM for the connection tracking table to not
wrap on a
network of that size.
> Is this possible with iptables?
The first part of what you want to do (layer 2 or layer 3)
NATing, yes.
As far as controlling how many sessions are reserved /
maintained even
beyond timeouts, I don't know. I'm betting not, especially
to the latter.
Grant. . . .
Re: NAT
2007-07-03 02:55:53
On 7/3/07, Grant Taylor <gtaylorriverviewtech.net>
wrote:
> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> > I'm going to setup a bridged NAT linux box for
many users. I want one
> > outside IP address to serve for instance
10.0.0.0/22.
>
> Why do this with bridging? If you have a 10.0.0.0/22
network like you
> say, it is private and thus not globally routable. So,
to reach the
> internet you will have to NAT to a globally routable
IP. Thus you have
> a private subnet and a public subnet which is an ideal
environment for a
> layer 3 router. Even if you are not going to a public
IP but rather
> another private IP, the same scenario holds true.
>
> Or are you for some wanting wanting to perform a layer
3 function on
> layer 2? If so, can I ask why?
Ok, I think your right here.
>
> > I want to be sure that each local IP address
always has 1024 NAT
> > sessions available and that sessions is kept even
if the timeout is
> > reached. If 1024 sessions is reached and a new
session is being
> > established then it will take over the oldest
(timed out) session.
>
> I'm not sure that you will be able to specify how many
NAT sessions each
> system will have and / or how to control the expiration
there of. I do
> know that you will have (or did have to in previous
kernels) to have a
> fair amount of RAM for the connection tracking table to
not wrap on a
> network of that size.
>
> > Is this possible with iptables?
>
> The first part of what you want to do (layer 2 or layer
3) NATing, yes.
>
> As far as controlling how many sessions are reserved /
maintained even
> beyond timeouts, I don't know. I'm betting not,
especially to the latter.
>
I guess the question was more about controlling the number
of NAT
sessions pr. lokal IP address?
- Marftin
riverviewtech.net>
wrote:
> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
> > I'm going to setup a bridged NAT linux box for
many users. I want one
> > outside IP address to serve for instance
10.0.0.0/22.
>
> Why do this with bridging? If you have a 10.0.0.0/22
network like you
> say, it is private and thus not globally routable. So,
to reach the
> internet you will have to NAT to a globally routable
IP. Thus you have
> a private subnet and a public subnet which is an ideal
environment for a
> layer 3 router. Even if you are not going to a public
IP but rather
> another private IP, the same scenario holds true.
>
> Or are you for some wanting wanting to perform a layer
3 function on
> layer 2? If so, can I ask why?
Ok, I think your right here.
>
> > I want to be sure that each local IP address
always has 1024 NAT
> > sessions available and that sessions is kept even
if the timeout is
> > reached. If 1024 sessions is reached and a new
session is being
> > established then it will take over the oldest
(timed out) session.
>
> I'm not sure that you will be able to specify how many
NAT sessions each
> system will have and / or how to control the expiration
there of. I do
> know that you will have (or did have to in previous
kernels) to have a
> fair amount of RAM for the connection tracking table to
not wrap on a
> network of that size.
>
> > Is this possible with iptables?
>
> The first part of what you want to do (layer 2 or layer
3) NATing, yes.
>
> As far as controlling how many sessions are reserved /
maintained even
> beyond timeouts, I don't know. I'm betting not,
especially to the latter.
>
I guess the question was more about controlling the number
of NAT
sessions pr. lokal IP address?
- Marftin