I'm not sure I understand how proxy ARP can help me? All the docs talk about this applying as a
routing tool. I DO NOT WANT TO ROUTE PACKETS through the gateway host. I just want to be able to
establish a stream (say ssh) from the "main" interface without responses going out the
"spoofed" interfaces. That is the behavior I observe via snoop - packets come in on
interfaceB from the REAL netA, response packets are sent out the SPOOFED NetA interface.
NetA (intranet cloud) interfaceB [gateway server] SPOOFED NetA interface
A packet traveling from NetA on the left, through the intranet cloud to
interfaceB on the gateway box makes it just fine, but the gateway sees the
spoofed NetA on an alternate interface as the shortest return path and sends
response packets out the SPOOFED NetA interface. I don't want this.
Every diagram I've seen describe ipnat as rewriting addresses BEFORE packets reach the
kernel, so I thought what I want to do is rewrite the source address of incoming packets
on interfaceB to ANYTHING besides "NetA", so that responses bounce back out
interfaceB vs. getting sent to the spoofed NetA interface on the gateway machine.
I don't see how to apply proxy ARP to this situation, and further, I'm not clear that plumbing up
an alternate "NetA" ipaddress on interfaceB will help either? I can see that if I
combine "interfaceB" and SPOOFED NetA on the same interface I might get the results I'm
looking for, but I'm not entirely happy combining both networks into the same broadcast domain..
That's what your second suggestion really is, right? That really only addresses ONE case - there
could be, for instance, cases where I want to get traffic from one of the other real networks that
are being spoofed on the other side of the gateway machine. Hmn.. I suppose I could simply put
ALL networks on the same physical interface - I don't plan on there being lots of machines out
there, this is just a DMZ like situation for temporary access to machines that would otherwise be
inaccessible....
Thanks for the input - I'm sure telling dumbass folks how to do their job
looses it's thrill after a time.. ;-)
Darren Reed wrote, On 5/19/07 2:43 AM:
I think what you really needs is to use proxy ARP.
It would be better if you could give the 192.129.119.2 interface an
additional
address as an alias in the 10 network.
Darren
ORIGINAL thread:
Eric Timberlake wrote, On 5/18/07 10:41 PM:
I'm trying to create a set of NAT rules to deal with a situation I'm
having.
I have a "spoofed" network to support moving large systems between a
private network and a shared intranet. The issue is when I want to get
from a system on the REAL network 10.1.1.0 to the gateway machine at
192.29.113.2, response traffic is directed out this "spoofed" 10.1.1.0
network vs. back through the intranet cloud.
(SIMPLE block, the dashes represent host with 4 interfaces)
--- 10.1.0.0
10.1.1.0 (Intranet cloud)192.29.113.2 --- 10.1.1.0
--- 10.1.2.0
I believe that I should be able to NAT at the 192.29.113.2 interface
before the packet reaches the kernel, so that it maps to something OTHER
than coming from 10.1.1.0 so responses go back OUT the 192.29.113.2
interface like I desire.
So far I haven't been able to do much but create configs that have no
effect, or simply won't stand up to rule check.
Some people say I should use RDR, some suggest MAP - but nothing I have
done so far is helping at all..
