Re: Whacky Iptables Wizardry

To: debian-firewall@lists.debian.org
Subject: Re: Whacky Iptables Wizardry
From: Tarragon Allen <tarragon@onthe.net.au>
Date: Fri, 20 Jun 2003 12:34:40 +1000
Message-id: <[🔎] 200306201234.40768.tarragon@onthe.net.au>
In-reply-to: <[🔎] 20030620014239.GA10544@qk.com.au>
References: <[🔎] 20030620014239.GA10544@qk.com.au>

On Friday 20 June 2003 11:42, Lucas J Barbuto wrote:
> I have a router sitting in front of a subnet of 12 IP addresses.  One of
> these subnet IPs is used as the main internet connection for an office.
> We'd like to take this connection down for a few hours to do some
> testing and maintenance, using a backup DSL connection in the mean time.
>
> Is it possible for me to setup some rules on my router to say "All
> traffic coming in looking for a certain IP (the office has a web server
> and an SMTP server) should be re-routed to another IP (the DSL
> connection).  The DSL of course is on a different subnet that I have no
> control over.  I'm not sure if this is possible, can anyone give me
> some pointers here?

I'm not sure what you're trying to achieve here : at first it sounds like it's 
just a matter of changing the default route on the router to point to the DSL 
connection, but then you mention traffic to specific IP addresses in your 
network, and so now I'm confused.

Are your 12 IPs "real" IP addresses, or are they behind NAT?

If they're real IPs, then things get tricky : the Internet routing tables 
would need to know to send that traffic via your DSL provider rather than 
your normal provider, and this might require some trickery with BGP/RIP, and 
most definitely will mean being in contact with your DSL provider's techies. 
You can't just connect 12 real IP addresses to *random ISP* and expect it to 
all just route properly : playing with iptables and routing on your side 
won't change this fact.

If they're behind NAT, then it's fairly trivial to redirect traffic. Take a 
look at some of the transparent proxying HOWTOs for ideas.

> On another topic (proxy ARP), I have a setup like this:
>
>     the Internet
>
>
>             + network gw (238)
>
>
>             + office gw (237)
>
>
>             + another office gw (234)
>
>
> I'm using proxy ARP at 237 so that 238 knows how to get to 234, which
> works, but I find that if the ARP cache entry on 238 expires, then 238
> gets traffic from the Internet destined for 234 it doesn't get through.
> My current work-around is to have a ping packet sent once a minute from
> 238 to 234 to keep the ARP cache fresh --- this is clearly not ideal ---
> anyone know what's up with this?  238 is running as an ethernet bridge.

You should add a static ARP entry on the machine at 238, this will depend on 
what it's running of course. On linux, it would be:

arp -s <another office gw's hostname> <office gw's hardware address>

t
-- 
GPG: http://n12turbo.com/tarragon/public.key

Reply to:

Follow-Ups:
- Re: Whacky Iptables Wizardry
  - From: Lucas J Barbuto <lucas@stabat.com>

References:
- Whacky Iptables Wizardry
  - From: Lucas J Barbuto <lucas@stabat.com>

Prev by Date: Re: more networking stuff
Next by Date: Re: Whacky Iptables Wizardry
Previous by thread: Whacky Iptables Wizardry
Next by thread: Re: Whacky Iptables Wizardry
Index(es):
- Date
- Thread