[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Tristan Burnett wrote: > I have a query that hopefully someone can either answer or point me > towards some info/howtos. > > I have two networks that I wish to keep physically separated and bridge > with a NAT router, I want some PCs on network A to have access to a > server via telnet on network B but they need to access it via specific > IP addresses (the server uses ip addresses to assign session settings). > > e.g. > Network A NAT Network B > 172.16.46.1 <----> 200.0.0.1 <-> Server > 172.16.46.2 <----> 200.0.0.2 <-> Server > 172.16.46.3 <----> 200.0.0.3 <-> Server > 172.16.46.4 <----> 200.0.0.4 <-> Server > etc.... > > I far as my understanding goes I believe it will require 2 network cards > with multiple IP on each and then some IPtables rules to do the NAT. If you intend to keep the networks physically separate then yes two network cards sounds like a must. It is possible to have multiple logical IP networks on one ethernet network (supernetting) but it isn't considered quite "polite" in networking circles (it does raise security issues and makes DHCP more complex to configure). I see no reason why you need use NAT, unless the server can already see a network with the prefix "172.16.46". If possible I'd start by doing it without NAT just because it simplifies the set up. Configure one interface in 172.16.46.x (say x=5), and one in 200.0.0.y (say y=6). You'll need to allow ip_forwarding which is kernel parameter; /proc/sys/net/ipv4/ip_forward in 2.6 kernels. You use sysctl for setting this to "1", and most distros will have a way of setting this on boot. You'd then need to configure PCs in 172.16.46.x to route to 200.0.0 network via 172.16.46.5, and the server to route to 172.16.46 via 200.0.0.6. Then you might want to apply firewall rules to stop the traffic, and only allow what is specifically permitted. The NAT config is similar, except you have to apply some firewall rules, and you don't have to set a route on the server. But the configuration for NAT would be the same as a typical Internet NAT with the 172.16.46 network being on the inside, and there are lots of worked examples of that on the Internet. I'm not quite sure what you mean by "two way" in this context. NAT typically makes it difficult to initiate a connection from the "public" address to the "masked" addresses. In this case initiating a connection from server to client, if you used NAT, would require some special actions. But it doesn't sound like you really need that if you use telnet from the clients to the server. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html