Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    using NAT (iptables) to extend public class C IP range

    We have a public class C address range that we have been using for many years.

    We have now run out of available addresses, and want to extend the network using NAT on iptables.

    I have tried setting up the rules as follows;

    eth0 =
    eth1 =

    Flush all rules
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    All seems to work OK (web browsing, e-mail etc) but we keep getting disconnects from our file server. Mapped drive goes offline. If you syncronise it will be OK and then go off line again. Sometimes this lasts a while other times it goes straight back offline again.

    The PCs on the public IPs are OK.

    It gets worse the more people we have going through the NAT box.

    Is there any reason that what we are trying to do won't work? Any suggestions?


  2. #2
    It *sounds like* you are either:

    A) Running into a table limit internal to iptables on how many connections it can track at once. (This could be something that's tunable.)

    B) Running out of ports on the NAT machine. Because every connection from the internal network has to be translated into a port on the NAT machine, you would be surprised how fast you can burn through ~63K of ports. You can monitor how many ports are in use with netstat and/or reduce the "time_wait" state to something lower to recycle ports faster (240 sec is the usual default.)

  3. #3
    Thanks for your response.

    A) Any idea how this is tuneable?
    B) I installed netstat-nat, which has helped me check current connections. Given that it is saturday, there are not many users on the system. However, problem is still happening but to a lesser extend with server1 and is happening more with server2.

    Let me explain:

    We have microsoft AD domain, we are using folder redirection storing our user profiles on the server (server2). Our users also have access to a file share on a server (server1) that is not part of the domain.

    The main problem is that the users experience the server1 going offline. However, this morning (saturday) the problem has been with server2.

    Now I'm not sure if it is the server that is closing the connection, or the client, or the NAT box, but something is.

    When all OK, connection showing as ESTABLISHED on netstat-nat. As soon as the offline files icon appears I'm running netstat-nat again, to find that connection to server1 is TIME_WAIT.

    We have between 50 and 100 users using the NAT box. Is this usual to have these kind of problems for this number of users?

    Another option I have thought of would be to enable the other network card in the file servers with a private address. Idea being to stop this traffic going through the NAT box. What do you think?


  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts