[lug] subnets

D. Stimits stimits at idcomm.com
Mon Jul 15 21:11:09 MDT 2002

Hugh Brown wrote:
> network newbie question.
> I am in a bit of situation.
> We won the second phase of a contract and have the job of porting a
> windows based system to an os independent system.  The company delivered
> the machines but put them on the 192.190.1.x/24 subnet and told us that
> changing the ip address of the two systems would be burdensome to do.
> Their obligation is to deliver a system that works.  It seems to work
> okay, but I don't know how to get the two systems to see the Internet at
> large.
> I have the two systems on an ipchains masqueraded network.
> How do you normally put two distinct subnets on a network and get them
> to go out to the right destination
> Here's the setup
> Internet--- external interface (ipchains box)|
>                                                              |
>                                                      Internal Network
>                                                              |
>                                                              |
>                                                       192.190.1.x/24

What is the nature of the connection? UDP, TCP? Is a specific port
involved, or is there no particular port that is always needed? Will
service be called upon from the outside, or will all conversations be
initiated at the internal network?

I have never done this, but I have been curious about it. Often, ip masq
is a general masquerade, not a 1:1 masquerade, where exact ports are
assigned 100% of the time to a particular forward/masquerade...normally
it is a general thing where outbound packets determine which response
goes back to the original machine, it is not fixed. However, you *can*
tell it to make specific ports 100% bound to particular forward
addresses (at least with newer kernels, maybe with older too). If you
have a general masquerade, then outside cannot randomly access the
masquerade box for its services, the internal box would have to initiate
the conversation. Does the outside have to initiate a conversation with
the internal net? If so, and if particular ports are in mind, and if
those ports are never required for other machines to service requests,
then you can bind those ports permanently to forward to that machine.
Since I have never done this, I do not know the gotchas or problems you
will go through to enable it (though you probably want to start with a
2.4.19-prerelease kernel). I think some of the terminology I have seen
before is 1:N, N:1, and 1:1 NAT when windows products were involved.

D. Stimits, stimits at idcomm.com

> I know I haven't explained this very well so please help me clarify.
> Hugh
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list