I'm in the process of setting up an Ubuntu Linux box to act as a router. Its a fairly normal setup with NATing using IPTables – and its working fine for me.
I'm about to put this into production, and I've thus far, for testing, been putting multiple WAN IPs in stanzas in the /etc/network/interfaces file:
# WAN Interface
iface eth0 inet static
address 123.123.456.345
netmask 255.255....
network ...
broadcast ...
gateway ...
iface eth0:1 inet static
address 123.456.789.123
netmask ...
iface eth0:2 inet static ...
The problem I've found is that we have about 20 WAN IPs that this Linux box needs to do NATing for right now, which means I need to assign all 20 of those IPs onto this box, which it can then translate into the correct private IP.
That's the thing – the interfaces file is steadily growing larger, and I'm starting to wonder if this is going to become difficult to manage in the near future. But the above example is pretty much the only way I've ever done it, and by far the most common example I can find when searching.
The only other method I've found and considered is here: http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
# Internet interface
auto eth0
iface eth0 inet static
address 206.124.146.176
netmask 255.255.255.0
gateway 206.124.146.254
up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0
Is there a way of organising this that someone else can recommend for a large number of IP aliases? And why did you choose that over any other method?
EDIT
As two answers now have basically suggested, don't use NAT, just bridge the traffic through the firewall and assign IPs directly on the server. I should add, we're already using that method in production but have decided to move away from it.
-
We want to save our public address space, many of the devices or VMs only need one public port open, and no other public service. For that reason, we want to be able map ports on a single public IP to separate internal devices.
-
We're moving forward to a VPN infrastructure that allows customers to VPN in and access their allocated subnet/VLAN, and therefore have access to their servers.
-
VLANs with a bridged firewall configuration has proven troublesome. Because the packets are hitting our upstream provider still tagged, the packets get rejected.
I should be clear that this is not entirely a 1:1 NAT setup. Its just that, right now, all devices have their own WAN IP – so that's the best description of what we're having to move to right now.
Many of the devices will still need their own IP, and in those cases, we NAT and allow the ports individually, so its kind of like 1-1 NAT, with firewalling. In some cases, though, the devices will not need a WAN IP at all.
Thanks!
Best Answer
Do this the right way -- get the address range routed to your firewall and put the IP addresses where they're supposed to be, on the destination devices.