Dear all,
I'm trying to setup a DMZ style firewall. The Linux box has 3 interface, one
to Internet, one to internal network (trusted) and one to DMZ network.
Unlike many example script I found, this DMZ interface has legal Internet IP
address, similar to hosts connected to it, also uses legal Internet IP.
NAT IP address also similar to DMZ interface IP address. To simplify it :
eth0 IP address : aaa.bbb.ccc.ddd
eth1 IP address : ddd.ccc.bbb.aaa
eth2 IP address : ddd.ccc.bbb.aaa
IP ddd.ccc.bbb.aaa is a legal Internet IP address.
Up till now, I'm using Linux 2.4.20's proxy arp
(/proc/sys/net/ipv4/{eth}/proxy_arp) and /proc/sys/net/ipv4/ip_nonlocal_bind
to let hosts connected to that DMZ interface can be seen from Internet. It
leaves me a problem : DMZ hosts can only see DMZ interface IP address as
source IP address, no matter it really came from trusted network or
Internet.
Is it possible to preserve source IP address even though still using
proxy_arp and ip_nonlocal_bind? I know this is more likely kernel question
but right now I need every idea I can use.
Regards,
Anthony M. Rasat.-
