On Sat, 8 Jan 2005, Bill Jonas wrote: > On Sat, Jan 08, 2005 at 10:57:23AM -0700, George Toft wrote: >> Qwest allows me 4 IP addresses, and I would like to take advantage of >> them so we can have more than one computer at the site at one time. > > Do you have more than four computers internally? If not, just NAT them. > As a reminder, NAT is many-to-many; masquerading (a Linux-specific term, > or if it's not now, Linux was the first to use it) is just a special > case. In George's case that will not work. As I understand his problem, the source external/public address of the HTTP connection needs to be difference for each internal machine. You could do this with some super-nasty IPTables rules, but that would likely be pretty painful. You may also be able to make it easier by bringing up four internal gateways (eth1, eth1:0, eth1:1, and eth1:2) and four external addresses on the firewall (eth0, eth0:0, eth0:1, and eth0:2), and give each LAN host its own internal gateway (they will all still be in the same subnet, so they will be able to talk to eachother just fine). Then on the firewall, the IPTables rules could be simplified to just redirecting packets coming in from eth1 to go out eth0, in from eth1:0 to go out eth0:0, in from eth1:1 to go out eth0:1, etc... Still not very clean, but do-able. Here is another idea, and I am not quite sure if this would work off-hand (still too early in the morning for me), but it would be really easy to try it out. Bring up your four external addresses on the firewall, then add four identical routes (but with different interfaces) to your ISP's gateway router. For example (if your netblock is 1.2.3.0/24 and your ISP's gateway router is 1.2.3.1): # route add default gw 1.2.3.1 eth0 # route add default gw 1.2.3.1 eth0:0 # route add default gw 1.2.3.1 eth0:1 # route add default gw 1.2.3.1 eth0:2 That may cause the firewall box to pseudo-randomly pick an interface to the gateway for different packets. Of course, this would be a total hack, but much easier to test out than the "real" way of doing it using IPTables. Of note, if your firewall is doing reverse path filtering, you may need to disable that for this to work, since the routes may well now be asymetrical. -- ~Jay --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss