[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP masq (ipchains): masq whole LAN *except* some hosts?

On Mon, 06 Dec 1999 10:37:31 +1100, Angus Lees wrote:

>On Sun, Dec 05, 1999 at 10:12:20PM +0100, Ralf G. R. Bergs wrote:
>> On Mon, 22 Nov 1999 11:36:19 +0100, Thomas Anker wrote:
>> >> I've a machine with two NIC acting as a router/NAT host. Masquerading 
>> works 
>> >> fine for the LAN machines, and access from outside is limited to the 
>> >> firewall machine. I want a couple of machines NOT to be masqueraded so 
>> that 
>> >> I can ftp or log into them from outside.
>> >> 
>> >> Which ipchains rules do I have to add to make this work? I have tried 
>> >> insert a rule above the standard rule in M70masq like this, but to no 
>> avail:
>you should be able to insert simple accept rules before the masq
>rules, and the packets should be forwarded unmodified

I tried this already, but it doesn't work. :-(

>the accessible machine will have to have real IP's that are reachable
>from outside

This is the case.

In the meantime I've succeeded directly ssh-ing into one of the internal 
machines from outside!! I had forgotten a needed rule in the output-chain. 

>> >3. Because your public machines behind your firewall can not hear these
>> >calls your firewall has to answer them !!!
>> >Tell your firewall to answer the ARP-request for your public machines
>> >in your private net. (some of these ARPd tools will do this)
>> I guess these "calls" are made using ICMP messages? Couldn't I simply 
>> my firewall for these ICMP messages? Or would you leave them disabled for 
>> security purposes and use arpd (or whatever you are suggesting)?
>ARP uses ARP, not ICMP  (assuming ipv4..)
>it happens at an ethernet broadcast level - any IP firewalling stuff
>never gets to see it

I see. Let me try to clarify this to see whether I've understood it: arp 
happens on a level *below* IP. Therefore arp PASSES my firewall, right?

>there are two ways to get packets to find your inside hosts:
>1. ("the real way") the upstream router knows to forward all packets
>for your subnet to your firewall (via a normal routing table
>entry). your firewall then know which interface to send them out
>(ie. internal ip -> internal interface)

This is how it works in my case.

>2. ("the hack way") the upstream router is beyond your control, but
>you have several IPs given to you by upstream and you want to hide
>them behind a firewall. you add ARP entries to the firewall for your
>other hosts. the upstream router will know be tricked into thinking it
>should send packets for all those IPs to your firewall (very similar
>to IP aliasing), and when your firewall gets them it knows to forward
>them out another interface (using a normal routing table entry)

I know about proxy-arp and also how it works. I've already used it a while 
ago to hook a machine connected via ISDN into our LAN.

Thanks for your explanations and hints.


Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^

Reply to: