/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Gregory Leblanc wrote:
> > From: George Vieira [mailto:[EMAIL PROTECTED]]
> >
> > I have ipmasqadm working well with my setup at home and so on
> > but I have one
> > question.
> >
> > My linux firewall is on 200.xxx.xxx.200 and I have routes for
> > 200.xxx.xxx.201 to go to the this firewall. The linux box has
> > a rule for the
> > 201 address be a port forward for port 80 to an internal
> > machine using the
> > below command:
> >
> > /usr/sbin/ipmasqadm portfw -a -P tcp -L 200.xxx.xxx.201 80 -R
> > 10.0.0.10 80
> >
> > this is so the outside IP address for 200.xxx.xxx.201:80 goes
> > to an internal
> > machines web server.
>
> Looks good.
>
> > Now what I would like to confirm is how does the firewall IP
> > forward the
> > internal webservers internal IP back out via the external
> > address and not
> > the external address of the firewall... eg.. go out as
> > 200.xxx.xxx.201 and
> > not as 200.xxx.xxx.200
> >
> > I have the feeling (haven't been able to check) that the
> > internal machine is
> > masqueraded as the firewalls IP and not the webservers external IP..
> You nailed it, it's getting masq'd to the firewall's IP, and not the
> "external IP of the webserver". In order to make that work you'll have to
> add some special routing rules to make it send packets out the interface
> that has the XXX.201 address, instead of the XXX.200 address. I find the
> OpenBSD syntax (and handling) of this entire situation MUCH nicer and more
> logical. :-)
> Greg
are the 200 and 201 addresses aliases on the same network interface?
or is the 201 an internal address routed to via the 200 address?
if the former is the case, you'll need policy routing and the iproute2
package. you can use it to rewrite the source address of reply packets
from the internal webserver to be the 201 address. have a look at
http://www.zip.com.au/~raf2/lib/software/firewall/ for an example of
how to do this.
if the latter is the case, perhaps you have ipchains rules that
accidentally masquerade packets from 200.x.x.201? the 201 host
needs to be masquerading hosts behind it for port forwarding
to work but the 200 host does not need to masquerade the 201
host since it's a real address (although it may need to masquerade
other internal hosts).
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
