[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP masq (ipchains): masq whole LAN *except* some hosts?


I'm sorry that it has taken me so long to reply, but I was too busy to 
continue work on this matter.

On Mon, 22 Nov 1999 11:36:19 +0100, Thomas Anker wrote:

>> I've a machine with two NIC acting as a router/NAT host. Masquerading 
>> fine for the LAN machines, and access from outside is limited to the 
>> firewall machine. I want a couple of machines NOT to be masqueraded so 
>> I can ftp or log into them from outside.
>> Which ipchains rules do I have to add to make this work? I have tried to 
>> insert a rule above the standard rule in M70masq like this, but to no 
>right now i'm using a setup similar to what you want:
>Big-gateway (public ip) -> firewall (public ip one side,private otherside)
>-> [ private lan: several private ip macines, two public machines
>acceseble from putside  with public ips !]  

This setup is quite similar to my setup, apart from that there are NO 
reserved IPs inside my class C LAN, but that ALL machines have official IP 
addresses -- NONE of which however are visble from outside by now. My 
firewall has two public IPs: one that's inside the LAN subnet, and one 
that's not related to the LAN.

>Now i give you some important hints (thats took me a lot time to figure
>out). If you need more information, please write me.

If you can give me ANY additional hints you're welcome to do so. If you 
think the information is too specific for this mailing list, feel free to 
exclusively direct your message to my personal mailbox.

>1. mi firewall and the public machines behind it are on the same subnet:
>e.g. 130.30.30.xx 

This also applies to my case (for one of the two IPs, as I already mentioned 
the other IP is not related to the LAN IPs.)

>2. the Big-gateway adresses these machines using his ARP tables, that tell
>him, wich ethernet-number belongs to wich IP ! And to build up these
>tables Big-gatway sends ARP-requests :" hello, who on this sub-net listens
>to IP xx ?" (the arp-table refresh sometimes is done only every five
>hours or so, ask the sysad of your Big-gateway !) 

I'm not sure whether this applies to my case but I could check this.

>3. Because your public machines behind your firewall can not hear these
>calls your firewall has to answer them !!!
>Tell your firewall to answer the ARP-request for your public machines
>in your private net. (some of these ARPd tools will do this)

I guess these "calls" are made using ICMP messages? Couldn't I simply open 
my firewall for these ICMP messages? Or would you leave them disabled for 
security purposes and use arpd (or whatever you are suggesting)?

>4. Then off course you need to route the packets adressed to your public
>machines to your private net
>   (you have to tell this your routd through the route command).

routed? Am I supposed to run routed? If yes, why? What does it give me 
compared to using static routes?

>So if this is what you need, i can send you more explicit information.

I think my setup is similar enough to yours for you to be of any help for 
me, so please send any info that you think might solve my problem my way...


Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

Reply to: