proxy_arp and iptables...
Recently I started to play with a firewall machine and I have some problems.
The setup is: Debian on a 2.4.2 kernel with iptables. When it was on a
2.2/iptables it worked more or less fine.
Now I have a basic setup of iptables -F (all chains policy ACCEPT)
and echo 1 > ip_forward
It's the most basic setup I can think of, and I use it just to make things
right, then I'll add some rules, to fit my needs.
But it isn't working, no packages get through.
Then I did:
for f in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 1 > $f; done
and it worked?
The problem is that now the arp cache on the host is filled with the same
MAC address for all hosts on that segment, and from the outside, address is
the same for the firewall and for the host (host has a routable IP address,
so I presume this is not normal). I also had to reset arp cache on the
router, in order to get the world back to the host.
Just for the info, here are the kernel options.
Maybe I should have loaded some kernel modules? I tried several of them,
with no success.
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_MIRROR=y
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=y
Reply to: