http://www.cahilig.net/2010/10/28/how-enable-11-nat-iptables
http://serverfault.com/questions/109569/iptables-massive-11-nat

http://www.qsl.net/kb9mwr/wapr/tcpip/bbhn-to-44net.txt

 


Iptables 1:1 NAT

1:1 NAT maps a single Public IP Address to one of your computer within your local area network (LAN).
Unlike port forwarding, 1:1 NAT forwards all ports from one external IP to one internal IP.

iptables -t nat -A POSTROUTING -o eth0 -s 10.25.39.2 -j SNAT --to-source 44.92.21.5
iptables -t nat -A PREROUTING -i eth0 -d 44.92.21.5 -j DNAT --to-destination 10.25.39.2
iptables -A FORWARD -s 44.92.21.5 -j ACCEPT
iptables -A FORWARD -d 10.25.392 -j ACCEPT

I have to connect two LANs: LAN1: 10.10.0.0/16 and LAN2: 192.168.0.0/16. I can't do simple routing, because 192.168.0.0/16 net is prohibited in LAN1, so I am thinking of using Full cone nat (1:1) to translate 192.168.x.y/16 to 10.11.x.y/16. Each translation is done by these rules:

iptables -t nat -A PREROUTING -d 10.25.39.0/24 -j DNAT --to-destination 44.92.21.0/24
iptables -t nat -A POSTROUTING -s 44.92.21.0/24 -j SNAT --to-source 10.25.39.0/24

But I will have to enter 254*254*2 rules, what will, I think, result in enormous performance degradation. So, is there a way to write such one-to-one translation with minimum number of rules?

NETMAP
 This target allows you to statically map a whole network of 
 addresses onto another network of addresses. It can only be 
 used from rules in the nat table. 

 --to address[/mask]
     Network address to map to. The resulting address will be 
     constructed in the following way: All 'one' bits in the 
     mask are filled in from the new 'address'. All bits that 
     are zero in the mask are filled in from the original 
     address. 
iptables -t nat -A PREROUTING -d 10.25.39.0/24 -j NETMAP --to 44.92.21.0/24
iptables -t nat -A POSTROUTING -s 44.92.21.0/24 -j NETMAP --to 10.25.39.0/24