I work for a company that has nearly exhausted its Class C range of IP addresses. We decided to get by the problem by using a single Linux router running iptables to route the exhausted 192.168.1.0 network (eth0) to three LANs with numbers 192.168.101.0, 192.168.102.0, and 192.168.103.0 (eth1, eth2, and eth3). Our goal is to have clients inside those networks see a single server in the old 192.168.1.0 network. Since the new LANs are inside the production network (192.168.1.0), they face a trusted network and don't need to filter or firewall transactions across the router. The clients only need to see the server, and the server needs to see inside the new LANs in order to print to their printers. At first I thought the simplest solution would be the best, so I decided to use a NAT table. I set up a script to do all the requisites, such as flush all the chains, start the ip_forward process in the /proc file system, modprobe for relevent modules, etc. Then I added one line to set up the NAT table: /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.1.xxx Where xxx is the 192.168.1.0 number of the eth0 NIC. Of course, all the clients in the new LANs can see the server, but now the server can't see printers or anything else inside the new LANs. If NAT is the answer at all, it would seem that I should use DNAT and the PREROUTING chain to send packets from the server down to the new LANs, but the matter is more complicated because I am routing to three interfaces (eth1, eth2, and eth3) rather than firewalling a single interface. So here is my question for you, dear reader: 1. How do I write a DNAT PREROUTING statement to accommodate all three interfaces, and/or: 2. Is NAT the solution? Or should I be using a filter table instead of a NAT table to accomplish this goal? Any help much appreciated. John Reese _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list