Re: Validating NT thought a natting firewall
I's basicaly what you have now exepet instead of using IP aliasing(ethx:y)
you use proxy_arp(echo 1 > /proc/sys/net/ipv4/conf/eth*/proxy_arp). This
instructs linux to respond to arp requests for the 4 fierwalled servers.
Once this is done trafic will pass thought the fierwall invisably as
tohught it where a switch. You need to set proxy_arp on both interfaces
so that every one will 'talk' throught the fierwall.
--- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> On Thu, 27 May 2004, Mike Mestnik wrote:
> > I think you have this backwards, are you talking about --to-source or
> > --source? I'm also wondering why not just use proxy-arp(setup with
> the
> > arp cmd) and setup the internal IPs tobe what the external IPs are?
> This
> > way the router can focus on fierwalling trafic and not needing todo
> any
> > nat.
>
> Proxy-arp would mean that in the "satellite" submet i would have 4 hosts
> with address not in that net. No problem giving to these hosts 2
> addresses, unless it could break some other things. BTW if someone
> from 192.168.19.66 try to access a.b.c.194 that is inside that net, even
> if has a second address 192.168.19.194 ?
> PS: do you have an howto un proxy-arp option ?
> >
> > You should be using...
> > iptable $OTHEROPTS -i eth<to world> --destination <IP.ext> DNAT
> > --to-destination <IP.int>
> >
> > iptable $OTHEROPTS -o eth<to world> --source <IP.int> SNAT --to-source
> > <IP.ext>
> >
> > Then use "-t filter -? FORWARD" to setup all your allow/deny/drop
> rules.
> > Also don't forget to use "-m state NEW" and "-m state
> ESTABLISHED/RELATED"
> > for conection traking to take effect(so I'm told).
> >
> > --- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> > > On Wed, 26 May 2004, Mike Mestnik wrote:
> > > > K, use "iptabels -nvLt nat" too see what rules are being used.
> Also
> > > use
> > > > tcpdump or iptaf to see what traffic is not getting passed.
> > >
> > > no rules added . the only odd thing (but this is wanted) is that
> DNAT
> > > require source to be in a.b.c.0/24 while SNAT require destination to
> be
> > > anything. *so i can access into the hosts only fronm localnet, while
> thy
> > > can start connections to every host in the net).
> > > PDC and BDC are a.b.c.11 .13. 15. .17 .19 !
> > > PS: GW uses kernel 2.4.26 , not 2.4.25
> > >
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Friends. Fun. Try the all-new Yahoo! Messenger.
> > http://messenger.yahoo.com/
> >
>
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
Reply to: