[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP masq (ipchains): masq whole LAN *except* some hosts?

On Sun, Dec 05, 1999 at 10:12:20PM +0100, Ralf G. R. Bergs wrote:
> On Mon, 22 Nov 1999 11:36:19 +0100, Thomas Anker wrote:
> >> I've a machine with two NIC acting as a router/NAT host. Masquerading 
> works 
> >> fine for the LAN machines, and access from outside is limited to the 
> >> firewall machine. I want a couple of machines NOT to be masqueraded so 
> that 
> >> I can ftp or log into them from outside.
> >> 
> >> Which ipchains rules do I have to add to make this work? I have tried to 
> >> insert a rule above the standard rule in M70masq like this, but to no 
> avail:

you should be able to insert simple accept rules before the masq
rules, and the packets should be forwarded unmodified

the accessible machine will have to have real IP's that are reachable
from outside

if this isn't the case, then you will want to leave them masqeraded
and use some form of port forwarding so that connections to your
firewall are bounced to your real hosts (there are both userspace and
kernel methods of doing this)

> >3. Because your public machines behind your firewall can not hear these
> >calls your firewall has to answer them !!!
> >Tell your firewall to answer the ARP-request for your public machines
> >in your private net. (some of these ARPd tools will do this)
> I guess these "calls" are made using ICMP messages? Couldn't I simply open 
> my firewall for these ICMP messages? Or would you leave them disabled for 
> security purposes and use arpd (or whatever you are suggesting)?

ARP uses ARP, not ICMP  (assuming ipv4..)

it happens at an ethernet broadcast level - any IP firewalling stuff
never gets to see it

there are two ways to get packets to find your inside hosts:

1. ("the real way") the upstream router knows to forward all packets
for your subnet to your firewall (via a normal routing table
entry). your firewall then know which interface to send them out
(ie. internal ip -> internal interface)

2. ("the hack way") the upstream router is beyond your control, but
you have several IPs given to you by upstream and you want to hide
them behind a firewall. you add ARP entries to the firewall for your
other hosts. the upstream router will know be tricked into thinking it
should send packets for all those IPs to your firewall (very similar
to IP aliasing), and when your firewall gets them it knows to forward
them out another interface (using a normal routing table entry)

the difference is in scalability - the proxy-ARP method (as its known) 
requires an arp entry for each IP, whereas the IP routing method only
requires one entry in the upstream router's table for your whole

> >4. Then off course you need to route the packets adressed to your public
> >machines to your private net
> >   (you have to tell this your routd through the route command).
> routed? Am I supposed to run routed? If yes, why? What does it give me 
> compared to using static routes?

no, it was a typo - he only meant normal static routes

 - Gus

Reply to: