I's basicaly what you have now exepet instead of using IP aliasing(ethx:y) you use proxy_arp(echo 1 > /proc/sys/net/ipv4/conf/eth*/proxy_arp). This instructs linux to respond to arp requests for the 4 fierwalled servers. Once this is done trafic will pass thought the fierwall invisably as tohught it where a switch. You need to set proxy_arp on both interfaces so that every one will 'talk' throught the fierwall.
--- Leonardo Boselli <[EMAIL PROTECTED]> wrote: > On Thu, 27 May 2004, Mike Mestnik wrote: > > I think you have this backwards, are you talking about --to-source or > > --source? I'm also wondering why not just use proxy-arp(setup with > the > > arp cmd) and setup the internal IPs tobe what the external IPs are? > This > > way the router can focus on fierwalling trafic and not needing todo > any > > nat. > > Proxy-arp would mean that in the "satellite" submet i would have 4 hosts > with address not in that net. No problem giving to these hosts 2 > addresses, unless it could break some other things. BTW if someone > from 192.168.19.66 try to access a.b.c.194 that is inside that net, even > if has a second address 192.168.19.194 ? > PS: do you have an howto un proxy-arp option ? > > > > You should be using... > > iptable $OTHEROPTS -i eth<to world> --destination <IP.ext> DNAT > > --to-destination <IP.int> > > > > iptable $OTHEROPTS -o eth<to world> --source <IP.int> SNAT --to-source > > <IP.ext> > > > > Then use "-t filter -? FORWARD" to setup all your allow/deny/drop > rules. > > Also don't forget to use "-m state NEW" and "-m state > ESTABLISHED/RELATED" > > for conection traking to take effect(so I'm told). > > > > --- Leonardo Boselli <[EMAIL PROTECTED]> wrote: > > > On Wed, 26 May 2004, Mike Mestnik wrote: > > > > K, use "iptabels -nvLt nat" too see what rules are being used. > Also > > > use > > > > tcpdump or iptaf to see what traffic is not getting passed. > > > > > > no rules added . the only odd thing (but this is wanted) is that > DNAT > > > require source to be in a.b.c.0/24 while SNAT require destination to > be > > > anything. *so i can access into the hosts only fronm localnet, while > thy > > > can start connections to every host in the net). > > > PDC and BDC are a.b.c.11 .13. 15. .17 .19 ! > > > PS: GW uses kernel 2.4.26 , not 2.4.25 > > > > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > Friends. Fun. Try the all-new Yahoo! Messenger. > > http://messenger.yahoo.com/ > > > __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/
