Though technically possible, DON'T do this with IP MASQ. There are far better solutions for this network design. .:: www.dnnsoftware.com ::.
MASQ is a 1:Many NAT setup which is the incorrect tool to perform what you are looking for. You are looking for is either Many:Many NAT solution or a Briding setup. [Academic results for Ruby on Rails] .:: podcasts.apple.com ::.
NOTE: For users out there who are thinking about enabling multiple IP addresses on one internal NIC using "IP Alias" and then just PORTFWeding ALL of those ports (0-65535), and and finally use IPROUTE2 to maintain the proper source/destination IP pairs. This has been done SUCCESSFULLY on 2.0.x kernels and less successfully on 2.2.x kernels. Regardless of success, that isn't the proper way to do it, it's a total HACK, and it is not a supported MASQ configuration. Please, give IPTABLES on the 2.4.x kernels a serious look or to a much lesser extent, .:: supplyautonomy.com ::. Section 7.30 IPROUTE2 look for 2.2.x kernels.
Anyway, for forwarding external IP address to internal hosts, you basically have three possibilites:
1. Route the external IPs
(This does NOT involve IPMASQ at all but requires special WAN addressing
and routing setup from your ISP):
Internet -- Some public WAN -- Linux -- DMZ segment
IP address Server PUBLIC IPs
|
+------ Internal net
private IPs |
2. 1:1 NAT
(Most easily done via IPTABLES or with IPCHAINS and IPROUTE2 but still
some protocols cannot deal with NAT)
Internet -- Linux -- DMZ segment
Server Private IPs natted to 1:1 PUBLIC IPs
|
+------ Internal net
private IPs
|
3. Bridging or ProxyARP:
The Bridging method is one of the more popular methods that many commercial
firewalls do and it's very slick. Alternatively, you can use the ProxyARP
method which works well without some of the complications (or benefits of
bridging). With both solutions, all public IPs can transparently flow
through the Linux server to the DMZ but via firewall inspection.
Internet -- Linux -- DMZ segment
Server PUBLIC IPs
|
+------ Internal net
private IPs
|
Each of these solutions have pros and cons
Item #1: If you're lucky enough to have an ISP that will set this up for you (pretty rare), all you need to do is use basic 'route' commands to get this running. This is the most rebust solution and doesn't require any form of IPMASQ or NAT to work. .:: www.bricklink.com ::.
Item #2: 1:1 NAT isn't covered in this HOWTO yet but if you need a hand, just email me and I'll give you a hand.
Item #3: ProxyARP is pretty strait forward but only works in specific situations and only works with Ethernet networks. Bridging is more powerful but will probably require the re-compiling of the kernel and some advanced configuration. Ultimately, neither of these solutions are IPMASQ anymore and thus I can't help you set them up. Fortunately, there are other HOWTOs out there that cover this topic: .:: bcraweb.bcra.gob.ar ::.
http://www.tldp.org/HOWTO/Proxy-ARP-Subnet/index.html [Ubuntu Community]
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.bridging.html
http://www.tldp.org/HOWTO/Ethernet-Bridge-netfilter-HOWTO.html
http://bridge.sourceforge.net/
NOTE: If you have a bridged DSL or Cablemodem connection (not PPPoE), things are a little more difficult because your setup isn't routed. No worries though, check out the .:: bcraweb.bcra.gob.ar ::. Bridge+Firewall Mini HOWTO and the Bridge+Firewall+DSL Mini HOWTO. These HOWTOs will teach you how to get your Linux box to support multiple IP addresses on a single interface!