| View previous topic :: View next topic |
| Author |
Message |
sabrex
n00b
Joined: 28 Nov 2003
Posts: 45
|
 Posted: Fri Sep 05, 2008 3:59 am Post subject: NAT & Real IP's assigned to MAC on bridge possible? |
 |
|
I have several bridge systems, each with 64 or 128-ip subnets (real IPs). The DHCP server on each server assigns a real (public) IP address to each MAC address. Would it be possible to assign a NAT IP address to some of the MAC addresses, and perhaps create private subnets using the same bridge with eth0 and eth1 interfaces currently in use? Those with a NAT ip in their own separate private subnet would ideally be able to see only each other on the network (this may be a function of iptables). Would this setup be possible in any way? Thanks.
Here is a sample of my typical /etc/init.d/net.br0 file:
| Code: | #!/sbin/runscript
depend() {
before net
}
start() {
ebegin "Starting bridge br0"
/sbin/brctl addbr br0
/sbin/brctl addif br0 eth0
/sbin/brctl addif br0 eth1
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
ifconfig br0 123.45.67.2 broadcast 123.45.67.63 netmask 255.255.255.192 up
route add -net default gw 123.45.67.1 netmask 0.0.0.0 metric 1 br0
eend 0
}
stop() {
ebegin "Stopping bridge br0"
ifconfig br0 down
/sbin/brctl delif br0 eth0
/sbin/brctl delif br0 eth1
/sbin/brctl delbr br0
eend 0
} |
And a sample of my typical /etc/dhcp/dhcpd.conf file:
| Code: | # dhcpd configuration
server-identifier mybridge;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style ad-hoc;
authoritative;
# subnet declaration for br0
subnet 123.45.67.0 netmask 255.255.255.192 {
option subnet-mask 255.255.255.192;
option broadcast-address 123.45.67.63;
option routers 123.45.67.1;
option domain-name-servers 123.45.123.4, 123.45.123.5;
option domain-name "mydomain.com";
pool {
max-lease-time 7200;
range 123.45.67.3 123.45.67.62;
deny unknown-clients;
}
}
# host declarations for br0
# 123.45.67.0 - NETWORK (/26)
# 123.45.67.1 - GATEWAY
# 123.45.67.2 - BRIDGE
# 123.45.67.3
host client-3 {
hardware ethernet 00:15:28:2B:EF:B5;
fixed-address 123.45.67.3;
}
# 123.45.67.4
host client-4 {
hardware ethernet 00:03:B1:23:49:12;
fixed-address 123.45.67.4;
}
# 123.45.67.63 - BROADCAST |
|
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23093
|
| Posted: Sat Sep 06, 2008 6:51 pm Post subject: |
|
|
This should be possible with selective application of the MASQUERADE and/or SNAT targets for the NAT aspect of the problem. For isolating the machines from other networks, you can probably make it work using FORWARD rules that DROP unauthorized traffic. Since you are bridging, the normal interface restrictions in iptables rules will see br0. Use the physdev match to work around that.
This is a complex enough problem that I strongly recommend testing this in a lab environment first. A few qemu/kvm guests running a Gentoo minimal CD could provide the "internal" clients, with the host machine modeling how your bridge will be configured. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
