[Masq] Re: forward traffic to more than on internal host(autofw)?

Mon, 18 Sep 2000 16:30:12 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Hi all,

thanks for your replies - today I did some tests on this issue.

>  >I'm using ipchains on that box with an ip aliased setup like Ashley showed
>  >in the last eMail. Additionally I have set up some policy rules via
>  >Alexey Kuznetsov's iproute tool to make sure that the traffic from some
>  >internal hosts is send out with the correct aliased ip on the external
>  >interface.
> 
> Does this setup work?  What kernel?

it works. I'm using kernel 2.2.16 with the Alan's combo patch.


Here is the setup in a short:

        eth1   111.111.111.1  --> 10.1.1.1
        eth1:1 111.111.111.2  --> 10.1.1.2
        eth1:2 111.111.111.3  --> 10.1.1.3

The aliased ip's on eth1 should be translated to the internal 10.x ones.

After setting up portfw I used iproute2 to define which traffic from which
internal machine should be answered by which external ip:

  ip rule add from 10.1.1.2 table 1
  ip route add default via 111.111.111.254 src 111.111.111.2 table 1         
  ip rule add from 10.1.1.3 table 2
  ip route add default via 111.111.111.254 src 111.111.111.3 table 2         
 
PcAnywhere to internal hosts works fine now.

However, with tcpdump I realized that some traffic isn't answered with
the correct ip. I. e when connecting to an internal ftp server which
makes "auth" requests. These requests were sent with the primary external
ip (111.111.111.1).

So I replaced the rules and routes above with some nat rules like these:

  ip rule add from 10.1.1.2 nat 111.111.111.2
  ip rule add from 10.1.1.3 nat 111.111.111.3

After this, port forwarded ftp traffic and auth requests are shown with
the correct ip by tcpdump.


-Volker- 


-- 
##########################################
 Volker Dormeyer # [EMAIL PROTECTED]
##########################################

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to