I have a Fedora Core 2 system that has been installed for about 6 months running IP tables with no problems. The customer just installed a new T1 with multiple IP addresses on it. I changed my IP tables entries to reflect the new IP addresses a couple of weeks ago. Everything has been operating correctly. I have eth0 connected to the T1 and eth1 connected to the internal LAN.
Now the customer has installed a new VOIP telephone system. There are 3 remote buildings. The phone company wants me to use 3 of the spare external IP addresses and route them to 3 different VLANs. This will enable the remote buildings to connect to the main phone system through their swithch. My Fedora system sits between the T1 and everything inside.
What entries do I need to make to IP tables to route 3 of the external addresses to the 3 VLANs? Do I need to add the 3 external addresses as additional IP addresses to eth0?
Presently I have external address 151.xxx.xxx.98 routed to my internal LAN 192.168.1.0/24.

An example of what I am trying to accomplish:
External IP address VLAN to route to
151.xxx.xxx.124 192.168.7.0/24
151.xxx.xxx.125 192.168.8.0/24
151.xxx.xxx.126 192.168.9.0/24
I want all ports open to these VLANs.

Any help would be appreciated.

You'll probably want to use the NETMAP target which allows you to map a whole network of addresses onto another network of addresses (via the nat table only).

Technical explanation: "The resulting address will be constructed in the following way: All 'one' bits in the mask are filled in from the new `address'. All bits that are zero in the mask are filled in from the original address."

I've never used it but I assume (one of) the rules would look something like this
Note that the -d should really be a network and not an IP address, so I'm not sure if this will work verbatim, though it seems to work properly:
.

I'd also try adding a -d --match iprange 151.xxx.xxx.124-151.xxx.xxx.126 to try to compress it into a single rule.

The neat thing about the NETMAP target is that, IIRC, it doesn't mangle packets so all the host address (151.xxx.xxx.124) should remain intact.

Note: This may be a module or patch that's not commonly available (I compiled nearly every netfilter package into my kernel since it's a gateway...)

Thanks michaelsanford. I will see if the NETMAP module is loaded and give it a try.

If it does work let us know

As it turns out, the telephone technician was wrong on what they wanted to do, so I did not get a chance to try this. After further discussions, they just wanted the .7, .8, and .9 networks to be able to see each other and to be able to see the .1 subnet. I did this by adding INPUT and OUTPUT statements for the three new subnets with masks of 255.255.240.0. I also changed the .1 subnet mask to the same thing. They did not want the 3 new subnets to have access to the outside world so I did not add FORWARD statements for them.
Thanks for your help. I did do some research on what you suggested and it looked like it possibly would have worked. But, since I did not try it, I can't say for sure.