I'm not an IPChains guru by any stretch of the imagination, but...
I suspect the problem lies with the RedHat box not knowing to answer ARP
queries for the IP address it's providing a NAT mapping for. You could check
this with tcpdump - look for lots of arp requests for the public IP which
aren't getting answered.
An easy (if horribly ugly) way that springs to mind is to add the second IP
address to the external NIC as a secondary.
In terms of a "good" solution there may be a way of talking the RH box into
owning up to knowing about all the IP addresses it NATs for. However, in
times past I've filled the ARP caches of exterior routers with the MAC
address of firewalls to get around just this problem.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Rodney Dunham [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 6 July 2000 5:41 AM
> To: [EMAIL PROTECTED]
> Subject: RH linux 6.1, IPCHAINS woes
>
>
> I'm trying (unsuccessfully, I might add) to do a particular thing with
> IPCHAINS that I've seen done with commercial software, and
> I've run out of
> ideas. I need someone really good at IPCHAINS to get me
> headed in the right
> direction.
>
> I want my firewall to take packets for another IP besides its
> own, pass them
> through, translating them in the process so it appears a
> particular machine
> on the inside is actually on the outside. The internal
> machine won't know
> it is also addressable by the public address, and people
> outside won't know
> it's real address is in a private network. The firewall
> needs to do all the
> work. All ports need to be so translated for this other IP.
> The firewall
> does standard NAT through its usual IP. Outside machines
> need to be able to
> initiate connections with this special internal machine, not
> just respond
> when it initiates them.
>
> Never mind the security aspect, at least at this stage, it's
> the translation
> and forwarding that I can't get to work. I can lock it down
> to specific
> services once the barebones connection works right.
>
> The commmercial FW-1 at work does this, but that's a
> different OS with a
> different firewall setup and a commercial GUI. I can't
> duplicate what it's
> doing since it's such a different setup, or rather I'm not
> sure I understand
> what it's really doing.
>
> Inside: Firewall:
> Outside:
> 192.168.1.x < converts transparently >
> public.ip.address.113
>
> 192.168.1.114, public.ip.address.114
>
> other hosts < standard NAT >
> public.ip.address.114 as per standard NAT
>
> Thanks!
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
