Matt this is a very interesting idea, along the lines of a solution that I did not want to try to get strait in my head. The question that I run in to is how does the system handle returning (outbound) internet traffic from systems not in the DMZ? The way that I read and understand your idea I can't tell how the returning traffic will not be sent to the DMZ. Other than that I think this idea is a very good one. The idea that comes to my mind, but sadly will not work as I know it, is to use EBTables to bridge the internet and LAN interface and use the EBTables brouting table BROUTING chain to decide if the traffic should be bridged or not based on a connection tracking state, i.e. if the traffic is not related to any outbound LAN traffic then bridge the traffic over to the DMZ server, if it is related DROP the traffic in the BROUTING table which causes it to be routed. You would obviously need to have at least an aliased interface on the LAN interface to do the routing with. But I don't know of any match extension for EBTables that will test based on whether or not the NetFilter Connection Tracking code has seen the traffic or not. However I think this would be a useful match extension, and guessing I don't think it would be hard to write though I am not qualified to do so or really speculate. Grant. . . . Matthew Lowe wrote: > There's only one reason I could possibly see someone wanting to do this. That is to fool server software on the DMZ into using the public IP address. For example, say the server was sending out the local IP address to the clients to initate further connections. If the server software is not firewall friendly it may not check for the external IP and rather would send the internal IP. Other than that, I can't see any reason to do this. > > Anyway, here's the dilema. You cannot change the destination IP address of a packet prior to routing. If that IP address you're sending to is the same IP address that is assigned to one of the interfaces on the router then your packet will not be sent out the LAN interface. This is because when traversing the route tables, the first table, local, will match the packet. > > This problem seems rather complex at first. Assuming you don't change the local table at all you can accomplish what you want to do by adding in a second linux router. Basically you would run NAT and DMZ just like a normal network with private IPs. The DMZ would be assigned a space holder ip address, like 192.168.0.10. The second linux router would forward all traffic, except traffic that matched 192.168.0.10, for this traffic it would translate the IP address to the public IP address. This functionality can be condensed into one machine by adding two interfaces to the machine and building a bridge between the intefaces. By looping the LAN interface through this bride, you can then perform the DNAT as the traffic passes through the bridge. This requires the br-nf patch for 2.4 kernels (not required for 2.6). > > There is however a simpler solution. It didn't occur to me at first because I've never done it, and never had a need to. Anyway, you need to make two extra routing tables in /etc/iproute2/rt_tables. Call them local2 and dmz. You need to delete the public ip route from the local table and move it to the local2 table. Then you need to add a rule to the other table that looks like this: > ip route add 2.2.2.2 dev eth1 table dmz > 2.2.2.2 is your public ip, and eth1 is your lan interface. Change them for your setup. > Now you need to add the rules to lookup these tables in the correct order. > ip rule add from all lookup local2 > ip rule add fwmark 1 lookup dmz > > This will send any traffic with the public IP out over your lan interface _IF_ it is marked with the value 1. Otherwise it will operate just like normal. Now you should setup your NAT settings for the network. Set it up without anything speical for the DMZ. Do it as if there was no DMZ and you were just performing SNAT for the entire private network. > > Then, add the rule to mark traffic you want to go to the dmz. > > iptables -t mangle -A PREROUTING -d 2.2.2.2 -j MARK --set-mark 1 > > Pretty simple eh? I've never tested it, but in theory it should work. > > Hope that helps, > - Matt _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc