Tom Eastep wrote: > Adam Niedzwiedzki wrote: >> Ahh ok, >> I'm confusing myself :( >> If I put an entry in the /etc/shorewall/nat do I have to setup >> /etc/shorewall/masq The machine/s behind LVS will need to connect via >> an External IP other then >> the router/firewall one... >> >> Hence why I masq behind eth1 >> >> Remember this machine is my router as well (eth0 has a /30 with my >> upstream) >> eth1 is my /25 >> > > If you want the hosts on eth2 to use a different external IP address, > you put that address in the ADDRESS column of the masq file entry. >
Your statement 'Hence why I masq behind eth1' indicates that you may not be
viewing the relationship between the host, the interfaces and the addresses
properly.
Lets say that a Linux system has IP addresses IP1, IP2, IP3 and IP4 and that
it has interfaces IF1, IF2, and IF3. The way that I mentally picture this
system is like this:
__________
| IF1 |
_______________|__________|______________
| |
| |
| |___
| IP1 | |
| IP2 | |
| IP3 |IF2|
| IP4 | |
| |___|
| |
| |
|_________________________________________|
| |
| IF3 |
----------
This view emphasizes the fact that the IP addresses belong to the *host* and
not to the Interfaces. In the Linux default mode of operation, an ARP
'who-has' request for any of the addresses received on any of the (ethernet)
interfaces, will be responded to with the MAC address of that interface.
Each IP address is configured on an interface but the address<->interface
relationship only really important in two cases:
a) when the system is sending a packet that doesn't have an address (the
local client has bound its sending socket to the 0 address)
b) in MASQUERADE when you are letting the system pick the source address to
use for some outgoing packets.
So for traffic leaving the system on IF1, you can pick any of the IP
addresses (IP1-4) as the SNAT source address provided that responses from
the target host with that destination IP address will be routed back to
this system. In fact, you can use the IP address of any host accessed via
IF2 or IF3 if that address meets the criteria that traffic sent to that
address from the recipient will be routed back to this system.
HTH
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
