IP masquerading rules

To: debian-isp@lists.debian.org
Subject: IP masquerading rules
From: "Jeremy C. Reed" <reed@wcug.wwu.edu>
Date: Fri, 24 Mar 2000 23:57:21 -0800 (PST)
Message-id: <Pine.LNX.3.96.1000324231706.17190C-100000@sloth>

I am trying to setup a webserver that has only an internal (non-world) IP
of 10.2.1.235.

The router is a Debian 2.1 (with Linux 2.0.36 kernel) box. The Linux
router has:
  route add -net 10.2.1.0 netmask 255.255.255.0 eth1:0
  ifconfig eth1:0 10.2.1.1 netmask 255.255.255.0 up
(10.2.1.1 is the default gateway for the webserver.)

My workstation (which has a regular world-routeable IP) can ping
to the webserver through the Linux router. Plus it can browse webpages
served from the 10.2.1.235 webserver.

Also, from the workstation I can ssh into the webserver, but it takes over
a minute to complete, because the webserver has no access to any dns
server.  (It has no internet access.) 

When I do a:
  ipfwadm -F -a m -S 10.2.1.0/24 -D 0.0.0.0/0
on the Linux router, the webserver has access to the world. But then I can
no longer ssh to it from my workstation. I can also no longer get
webpages from it. I CAN still ping it. 

I guess this happens because now all packets coming from the 10.2.1.235
webserver are masqueraded as the Linux router's IP. I am not sure why the
ping packets from the webserver get back to me, but the ssh/http responses
never get back. (A new sshd never starts up.)

(Also, when I assign a an additional regularly routed IP on the interface
on the webserver, I can access it via ssh, http, ping and it can access
the world fine. Even though I connect to it every time using the same
10.2.1.235 address, plus everything else is still the same. I do not even
use this new IP. This does not make sense to me!) 

1) How can I set it up so any of my internal machines which use the Linux
router can happily communicate with the webserver? In other words, how can
I setup some ipfwadm policy so that the router won't masquerade packets if
it is communicating from within our lan? 

2) How do I set it up so my router will route all (from the outside world)
traffic to one of its IPs to the 10.2.1.235 internal IP? 

If you have any specific URLs, I'd appreciate it. Thanks.

  Jeremy C. Reed
....................................................
     BSD software, documentation, resources, news...
     http://bsd.reedmedia.net

Reply to:

Follow-Ups:
- Re: IP masquerading rules
  - From: "Jeremy C. Reed" <reed@wcug.wwu.edu>

Prev by Date: Re: Apache Virtual Hosts How To
Next by Date: Re: IP masquerading rules
Previous by thread: Re: Apache Virtual Hosts How To
Next by thread: Re: IP masquerading rules
Index(es):
- Date
- Thread