Tom,
Thanks for your assistance. It is much appreciated.
> > Question 3: There is a public IP address that has a different gateway than > the block of IP addresses currently in the DMZ. If I use SNAT with that > IP, is there any way to specify a different gateway? I'm struggling to > understand this part so if this makes no sense please ignore it.
TE>>You're going to have to give us specifics before we can understand the question.
Ok, the network setup is this:
They have public IP addresses in the range xx.xx.xx.26-xx.xx.xx.30 with masklen 29 and gateway xx.xx.xx.25. These are now in the DMZ
Additionally, they have a public IP address xxx.xxx.xxx.142 masklen 30 and gateway xxx.xxx.xxx.141. Apparently, with their old router (IPCHAINS based, but I don't have access to it) they had all these boxes sitting on their internal net and could reach them all externally or internally via the public IP. I'd like them all in the DMZ however I don't know how to deal with this 141 address.
Offhand, I cannot think of a way to do what you want to do. Control of gateway addresses is a function of the routing table, not of ipchains or iptables. But perhaps I'm missing something. It might help if you clarified a couple of things in your most recent posting.
First, when you say the old router "could reach them all externally or internally via the public IP" what is the "the" IP you mean? Do you mean all 6 addresses were reachable via (probably) proxy arp? Or do you only mean the servers had reachable services via port forwarding? Or something else?
Second, while I understand (though do not really sympathize with) your desire to keep the IP addresses themselves secret, we really do need to know the relationship between the "xx.xx.xx" in "xx.xx.xx.25" and the "xxx.xxx.xxx" in "xxx.xxx.xxx.141". Are they on the same /24, to be specific?
If so, it *might* work to cheat ... let the rotuer and *all* the servers use "xx.xx.xx.25", or perhaps "xxx.xxx.xxx.141", as their gateway. Incoming traffic will still (probably) flow through the separate gateways ... but IP-based routing is, by design, quite tolerant of using different routes in the different directions. (Actually, it might work to do this cheat even if the 2 networks are not part of the same /24; it depends on configuration decisions at the ISP's end.)
If you try this, you will need a route on the router to "xxx.xxx.xxx.141", so it can receive traffic from that gateway and acknowledge it. But it need not be a gateway entry, just an ordinary route.
Finally, am I correct in inferring that these two external networks --- xx.xx.xx.24/29 and xxx.xxx.xxx.140/30 -- are on the same physical interface (eth0, I imagine) ... the same DSL or T1 or whatever? If they are on different interfaces, most of what I've said does not make sense for you ... and you'll have to give us those details to get good advice.
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
