I'm looking for advice on best practice for setting up a Fedora / CentOS
firewall in the following situation:
LAN (10.0.0.0/24)
|
|
| (10.0.0.1)
Firewall
| (198.51.100.2/27)
|
| (198.51.100.1/27)
ISP's Router
|
|
|
Internet
In addition to 198.51.100.1 and 192.51.100.2, the ISP is providing 28
extra public IPs (192.51.100.3-30), and I want to the firewall to be
able to DNAT those IPs to internal machines, which means it needs to
answer ARP for them.
The router is routing all of the public IPs directly to its internal
NIC. In an ideal world, we'd just reconfigure the router so that the
IPs are routed via the firewall rather than being directly connected.
However, I'm finding that for managed routers, ISPs are increasingly
unwilling to set up custom routing.
The available options seem to be:
1. Add aliases for all of the addresses onto the internet NIC of the
firewall. You used to be able to create an
/etc/sysconfig/network-scripts/ifcfg-eth0-range0 file with the address
range in it and have the network scripts automatically add the aliases.
Unfortunately NetworkManager no longer seems to support this. Also this
feels quite messy because you end up with a lot of addresses attached to
the NIC, and strictly speaking those addresses don't really belong to
the firewall since they are intended to be forwarded through to internal
machines.
2. Route 198.51.100.0/27 to a dummy NIC and enable proxy ARP on the
internet NIC. Proxy ARP is a fairly blunt tool and will cause the
firewall to answer ARP for any address, not just that subnet.
3. The only thing the firewall actually needs to do with these addresses
is answer ARP requests for them. It used to be possible to use the arp
command to set this up with something like:
arp -i eth0 -Ds 198.51.100.0 eth0 netmask 255.255.255.24 pub
This method is documented in TLDP, but the arp command is long
deprecated in favour of "ip neigh" which doesn't appear to support doing
this.
Can anyone advise whether any "best practice" for this kind of setup exists?
Thanks.
--
- Steve
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx