[OpenAFS] multiple NAT clients

Chaskiel M Grundman cg2v@andrew.cmu.edu
Wed, 16 Jun 2004 13:07:56 -0400


--On Wednesday, June 16, 2004 11:37:56 -0400 Derek Atkins <warlord@MIT.EDU>
wrote:

> It works fine IFF you set your UDP timeouts above 10 minutes.
> I'd recommend 30 minute timeouts....

if your nat router is a linux 2.4 or 2.6 box, then you won't be able to do
that, but there is something you can do instead if you have few enough
clients: Assign a dedicated port for each client with iptables:

Add a pair of rules like the following for each afs client, substituting a
unique port for the 7021 (eth0 is the outside interface of the nat).

iptables -t nat -A PREROUTING -p udp -i eth0 --dport 7021 -j DNAT
--to-destination 192.168.1.11:7001
iptables -t nat -A POSTROUTING -p udp -o eth0 -s 192.168.1.11 --sport 7001
-j MASQUERADE --to-ports 7021

The POSTROUTING lines must precede the general MASQUERADE rule ('iptables
-t nat -A POSTROUTING -o eth0 -j MASQUERADE') or it won't work.