Find the answer to your Linux question:
Results 1 to 3 of 3
We have a public class C address range 72.183.76.0/24 that we have been using for many years. We have now run out of available addresses, and want to extend the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2008
    Posts
    2

    using NAT (iptables) to extend public class C IP range


    We have a public class C address range 72.183.76.0/24 that we have been using for many years.

    We have now run out of available addresses, and want to extend the network using NAT on iptables.

    I have tried setting up the rules as follows;


    eth0 = 72.183.76.253
    eth1 = 10.10.10.253

    Flush all rules
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    All seems to work OK (web browsing, e-mail etc) but we keep getting disconnects from our file server. Mapped drive goes offline. If you syncronise it will be OK and then go off line again. Sometimes this lasts a while other times it goes straight back offline again.

    The PCs on the public IPs are OK.

    It gets worse the more people we have going through the NAT box.

    Is there any reason that what we are trying to do won't work? Any suggestions?

    Thanks

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,746
    It *sounds like* you are either:

    A) Running into a table limit internal to iptables on how many connections it can track at once. (This could be something that's tunable.)

    B) Running out of ports on the NAT machine. Because every connection from the internal network has to be translated into a port on the NAT machine, you would be surprised how fast you can burn through ~63K of ports. You can monitor how many ports are in use with netstat and/or reduce the "time_wait" state to something lower to recycle ports faster (240 sec is the usual default.)

  3. #3
    Just Joined!
    Join Date
    Nov 2008
    Posts
    2
    Thanks for your response.

    A) Any idea how this is tuneable?
    B) I installed netstat-nat, which has helped me check current connections. Given that it is saturday, there are not many users on the system. However, problem is still happening but to a lesser extend with server1 and is happening more with server2.

    Let me explain:

    We have microsoft AD domain, we are using folder redirection storing our user profiles on the server (server2). Our users also have access to a file share on a server (server1) that is not part of the domain.

    The main problem is that the users experience the server1 going offline. However, this morning (saturday) the problem has been with server2.

    Now I'm not sure if it is the server that is closing the connection, or the client, or the NAT box, but something is.

    When all OK, connection showing as ESTABLISHED on netstat-nat. As soon as the offline files icon appears I'm running netstat-nat again, to find that connection to server1 is TIME_WAIT.

    We have between 50 and 100 users using the NAT box. Is this usual to have these kind of problems for this number of users?

    Another option I have thought of would be to enable the other network card in the file servers with a private address. Idea being to stop this traffic going through the NAT box. What do you think?

    Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •