7.31. ( MULTIPLE IPs - DMZ segments) - I have several EXTERNAL IP addresses that I want to PORTFW to several internal machines. How do I do this?

You DON'T do this with MASQ.

MASQ is a 1:Many NAT setup which is the incorrect tool to perform what you are looking for. You are looking for is either Many:Many NAT solution or a Briding setup.

NOTE: For users out there who are thinking about enabling multiple IP addresses on one internal NIC using "IP Alias" and then just PORTFWeding ALL of those ports (0-65535), and and finally use IPROUTE2 to maintain the proper source/destination IP pairs. This has been done SUCCESSFULLY on 2.0.x kernels and less successfully on 2.2.x kernels. Regardless of success, that isn't the proper way to do it, it's a total HACK, and it is not a supported MASQ configuration. Please, give IPTABLES on the 2.4.x kernels a serious look or to a much lesser extent, Section 7.29 IPROUTE2 look for 2.2.x kernels.

Anyway, for forwarding external IP address to internal hosts, you basically have three possibilites:

• 1. Route the external IPs (This does NOT involve IPMASQ at all but requires special WAN addressing and routing setup from your ISP): Internet -- Some public WAN -- Linux -- DMZ segment IP address Server PUBLIC IPs | +------ Internal net private IPs

• 2. 1:1 NAT (Most easily done via IPTABLES or with IPCHAINS and IPROUTE2 but still some protocols cannot deal with NAT) Internet -- Linux -- DMZ segment Server Private IPs natted to 1:1 PUBLIC IPs | +------ Internal net private IPs

• 3. Bridging: This is how most commercial firewalls do it as it's very slick. Basically, all public IPs transparently flow through the Linux server to the DMZ but via firewall inspection. Internet -- Linux -- DMZ segment Server PUBLIC IPs | +------ Internal net private IPs

Though this howto doesn't cover items #1 and #2 yet, email me and I can give you a hand. For item #3, this isn't IPMASQ anymore and thus I can't help you. Fortunately, there are a few HOWTOs out there on the topic:

• http://bridge.sourceforge.net/

• http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html

NOTE: If you have a bridged DSL or Cablemodem connection (not PPPoE), things are a little more difficult because your setup isn't routed. No worries though, check out the Bridge+Firewall Mini HOWTO and the Bridge+Firewall+DSL Mini HOWTO. These HOWTOs will teach you how to get your Linux box to support multiple IP addresses on a single interface!