On 7/3/07 1:55 AM, "Martin Schiøtz"
<malinux gmail.com> wrote:
> On 7/3/07, Grant Taylor <gtaylorriverviewtech.net> wrote:
>> On 7/3/2007 1:52 AM, Martin Schiøtz wrote:
>>> I'm going to setup a bridged NAT linux box for
many users. I want one
>>> outside IP address to serve for instance
10.0.0.0/22.
>>
>> Why do this with bridging? If you have a
10.0.0.0/22 network like you
>> say, it is private and thus not globally routable.
So, to reach the
>> internet you will have to NAT to a globally
routable IP. Thus you have
>> a private subnet and a public subnet which is an
ideal environment for a
>> layer 3 router. Even if you are not going to a
public IP but rather
>> another private IP, the same scenario holds true.
>>
>> Or are you for some wanting wanting to perform a
layer 3 function on
>> layer 2? If so, can I ask why?
>
> Ok, I think your right here.
>
>>
>>> I want to be sure that each local IP address
always has 1024 NAT
>>> sessions available and that sessions is kept
even if the timeout is
>>> reached. If 1024 sessions is reached and a new
session is being
>>> established then it will take over the oldest
(timed out) session.
>>
>> I'm not sure that you will be able to specify how
many NAT sessions each
>> system will have and / or how to control the
expiration there of. I do
>> know that you will have (or did have to in previous
kernels) to have a
>> fair amount of RAM for the connection tracking
table to not wrap on a
>> network of that size.
>>
>>> Is this possible with iptables?
>>
>> The first part of what you want to do (layer 2 or
layer 3) NATing, yes.
>>
>> As far as controlling how many sessions are
reserved / maintained even
>> beyond timeouts, I don't know. I'm betting not,
especially to the latter.
>>
>
> I guess the question was more about controlling the
number of NAT
> sessions pr. lokal IP address?
If you give iptables a range, it will try to do as little
port mangeling as
possible, so I beilieve it will try to hold onto connections
as long as
possible. We saw quite a performance when we moved our 100
users from one
Natted address to 64. I guess the mangeling made that much
of a difference.
Robert LeBlanc
BioAg Computer Support
Brigham Young University
leblancbyu.edu
(801)422-1882
|