Re: Howto route through

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

What I do is have the linux box claim all of the public IPs as its own, and then use IPTABLES to DNAT/SNAT to/from private IPs as needed. You can dedicate a public IP to a specific private IP, so the computer on your network with that private IP appears to all of the world as if it actually has the public IP. This has the added advantage that if your public IPs change for some reason, you just need to update IPTABLEs and the computers on your network will only need slight (if any) tweaking.

In this setup, all of your public IPs are on one ethernet port, and all of your private IPs are on the other. If you desire, you can give one of the public IPs to the linux box itself (though for security reasons, I personally do not do this... in fact, the only traffic I let the linux box pass to the internet is forwarded packets... nothing originating from itself).

This may be what you had in mind when you considered the option of a transparent bridge...

----- Original Message ----- From: "Rene Gallati" <lartc@xxxxxxxxxxxxx>
To: <LARTC@xxxxxxxxxxxxxxx>
Sent: Sunday, October 31, 2004 9:55 AM
Subject: Howto route through


Hello list,

I'm having a little trouble imagining a setup I'll soon have.

I am in the process of getting a routed /28 to my homeLAN. What I want to do is to put a linux box in front of the lan to filter some of the unneeded and potential dangerous ports. Now the box has 2 nics, one for the inside one for the outside.

How should I go on to setup those NICs when
a) the PCs in the net should have their official IP address from the /28 net
and
b) the filtering linux box should at the same time have one IP address from the same range for some services it provides

The dilemma I see (maybe it is none but I just don't know)
if I put it this way that I have the IP of the /28er range on one nic and nothing to put on the other ?

Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15)

          eth0:  1.2.3.1   eth1: ???
---- Internet ------- FW Box ------ LAN (1.2.3.0/28)

The FW box should be reachable by both the hosts in the LAN as well as from the internet using the assigned IP. Don't I run into troubles having an IP on one NIC which does belong to a net that is located on the side of another NIC ?

I know that the most specific entry (full IP) overrides or wins over the less specific ones (the net) but does this setup work so that the LAN clients can access the FW box just like every other host on the internet? How do I configure eth1 ? Just bring it up without any IP at all?

Or should I better make the FW box a transparent bridge for the filtering with one IP where it reacts itself ?

Thanks for all hints

CU

René
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/


_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux