I'm trying to implement a replacement for a hardware firewall device. One
of the capabilities I need to
support is to allow a user with an arbitrary IP address/subnet/gateway
combination to connect to an
Ethernet and gain access to the Internet using NAT.
I'm in the process of cobbling together a solution using Linux and IPCHAINS.
I'm working on implementing a user space solution that will automatically
add
ARP entries and routes to allow such users with static IP addresses to
connect.
The 'gotcha' I have run into is that I occasionaly have to enable
communication between the users
with the static IP addresses and a server on the inside of the firewall. To
do this, I need Linux to
act as a router - the catch is that there is logic that says if a packet is
routed out the same interface
it came in on, then you instead send an ICMP redirect back to the sender (so
that he can learn that
there is a direct route to the destination).
I need to supress this behavior so that my user space routing changes don't
cause this ICMP redirect.
I could just dive in and dike out the offending test, but it seems to me
there must be others with the
same problem.
The alternative in my case is to outfit each of these systems with 3 network
cards (and that would also entail some
code changes in my application I'd prefer to avoid).
Is there a clean way of doing this (ideally a few spare bits somewhere that
could be tweaked using ifconfig?
Thanks,
Mark Z.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
