Re: IP masq (ipchains): masq whole LAN *except* some hosts?
On Mon, 06 Dec 1999 10:37:31 +1100, Angus Lees wrote:
>On Sun, Dec 05, 1999 at 10:12:20PM +0100, Ralf G. R. Bergs wrote:
>> On Mon, 22 Nov 1999 11:36:19 +0100, Thomas Anker wrote:
>> >> I've a machine with two NIC acting as a router/NAT host. Masquerading
>> works
>> >> fine for the LAN machines, and access from outside is limited to the
>> >> firewall machine. I want a couple of machines NOT to be masqueraded so
>> that
>> >> I can ftp or log into them from outside.
>> >>
>> >> Which ipchains rules do I have to add to make this work? I have tried
to
>> >> insert a rule above the standard rule in M70masq like this, but to no
>> avail:
>
>you should be able to insert simple accept rules before the masq
>rules, and the packets should be forwarded unmodified
I tried this already, but it doesn't work. :-(
>the accessible machine will have to have real IP's that are reachable
>from outside
This is the case.
In the meantime I've succeeded directly ssh-ing into one of the internal
machines from outside!! I had forgotten a needed rule in the output-chain.
:-((
>> >3. Because your public machines behind your firewall can not hear these
>> >calls your firewall has to answer them !!!
>> >Tell your firewall to answer the ARP-request for your public machines
>> >in your private net. (some of these ARPd tools will do this)
>>
>> I guess these "calls" are made using ICMP messages? Couldn't I simply
open
>> my firewall for these ICMP messages? Or would you leave them disabled for
>> security purposes and use arpd (or whatever you are suggesting)?
>
>ARP uses ARP, not ICMP (assuming ipv4..)
>
>it happens at an ethernet broadcast level - any IP firewalling stuff
>never gets to see it
I see. Let me try to clarify this to see whether I've understood it: arp
happens on a level *below* IP. Therefore arp PASSES my firewall, right?
>there are two ways to get packets to find your inside hosts:
>
>1. ("the real way") the upstream router knows to forward all packets
>for your subnet to your firewall (via a normal routing table
>entry). your firewall then know which interface to send them out
>(ie. internal ip -> internal interface)
This is how it works in my case.
[proxy-arp]
>2. ("the hack way") the upstream router is beyond your control, but
>you have several IPs given to you by upstream and you want to hide
>them behind a firewall. you add ARP entries to the firewall for your
>other hosts. the upstream router will know be tricked into thinking it
>should send packets for all those IPs to your firewall (very similar
>to IP aliasing), and when your firewall gets them it knows to forward
>them out another interface (using a normal routing table entry)
I know about proxy-arp and also how it works. I've already used it a while
ago to hook a machine connected via ISDN into our LAN.
Thanks for your explanations and hints.
Ralf
--
Sign the EU petition against SPAM: L I N U X .~.
http://www.politik-digital.de/spam/ The Choice /V\
of a GNU /( )\
Generation ^^-^^
Reply to: