Fabien Ribes <fribes@capgemini.fr>:
> In order to test a firewall, I'd like to use a single host.
> There are two interfaces on the host, two on the firewall, with subnets
> as described below.
>
> eth0: eth1:
> 10.67.27.2 10.67.28.2
> FIREWALL
> | |
> | |
> 10.67.27.0| |10.67.28.0
> | |
> | |
> eth0: -HOST- eth1:
> 10.67.27.1 10.67.28.2
>
> Is it possible, from the host, to send a packet to IP 10.67.28.2 by the
> long way (the loop using the firewall) ?
> Currently, the stack on the host takes the shortcut, ie a packet from
> the host destined to IP:10.67.28.2 never goes out of the host, even with
> a route specifying to use eth0 to reach 10.67.28.0 subnet.>
>
> Any advice ?
First let me convert the diagram into my interpretation of yours.
10.67.28.0/24
-----------+----------------------------------+-----------
eth1 | 10.67.28.2 eth1 | 10.67.28.2
+-----+-----+ +-----+------+
| FIREWALL | | HOST |
| | | |
+-----+-----+ +-----+------+
eth0 | 10.67.27.2 eth0 | 10.67.27.1
-----------+----------------------------------+-----------
10.67.27.0/24
Is there a typo in the IP addresses on the eth1 interface(s)? They are
identical, on two distinctly different hosts.
If they are correct I can't see how you can bypass the fact HOST will
always consider any packets to this address as being local.
If the IP address on eth1 of HOST is indeed incorrect, then on HOST try
the following:
route add -host 10.67.28.2 gw 10.67.27.2 dev eth0
The 'dev eth0' maybe optional.
--
Darryl Miles
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
