[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall and proxy arp


On Sat, Jan 17, 2004 at 10:36:50AM +0100, radel wrote:
> [cut]
> I think I have to:
> ° enable proxy arp an all the internal firewall;

and external too.

> ° assign a public ip address to the external firewall's interface;
> ° assign a fake ip address to all the internal interfaces;

Why fake? You can set on all internal interfaces the same public address
as used on external one. 

> ° delete the routing table;

For internal interfaces only. For external you don't need to.

> ° set an host router for each server with the correct interface;
> ° set the host route for the router on the external intercae;

Ok, I'm doing it using following additional rules in /etc/network/interfaces
for internal interfaces: 

	up ip route del dev ethx
	up ip route add 192.168.0.x    dev ethx
	up echo 1 >/proc/sys/net/ipv4/conf/ethx/proxy_arp

and for external additional are only:
	gateway x.x.x.x
	up echo 1 >/proc/sys/net/ipv4/conf/ethx/proxy_arp

and I'm setting the same address and netmask on all interfaces.

> ° set the default gateway via that router;

On firewal and all servers.

> ° drink a coffee. 

Not yet - you need also:

echo 1 >/proc/sys/net/ipv4/ip_forward

> Am I right? Will all work as expected?

It should work. That depends of your iptables rules ;)

> Can I use only one public IP on the firewall? 


> What about server1 trying to contact server2? Will it work? 


> Sorry for my poor english and many many thanks in advance. 

My is not better :)

  Robert Tasarz

Reply to: