I will take a stab at this, with the expectation that if I do not understand the configuration needed, people will be kind. 2 machines can have the same IP address (your 10.2.1.100) so long as there will be no confusion when another machine sends a packet to 10.2.1.100 as to which box is meant. Your "sneakernet" failover would definitely be do-able in this case. I have the sense that this will not exactly be the case. I just wiped out some thoughts on using MASQUERADE to hide the true IP address of the legacy box and DNAT to send traffic to the legacy box that is addressed to the box that is doing the MASQUERADE-ing of outgoing traffic from the legacy box because it falls apart when the box doing the MASQUERADE-ing can see both the legacy box and the proxy/firewall box at the same time. ??? which box gets the traffic for 10.2.1.100 ??? My last thought, which fits here, is that the above might work if you did it twice - hid the real IP address of both the legacy and the proxy/firewall boxes behind 2 different IP addresses so no one box would see both the legacy and the proxy/firewall at the same time at the same IP address. This might be on the right path to a solution. (I use DNAT in -t nat PREROUTING to force all DNS traffic to a specific DNS server, if that helps with part of your question.) If you do not need the telnet and ftp functionality of the legacy box when it is acting as your sneakernet failover, and assuming that the time to change the IP address of the legacy machine is included in acceptable downtime, and assuming that MPR is not replete with extra boxes, Garrison Keillor's popularity notwithstanding, I would just put the legacy machine at a different IP address for normal use and change its IP address as part of the sneakernet failover process. Hope this helps. Bill Chappell "Ringer, Torleiv" wrote: > > Hi there, > > I am not exactly sure how this needs to be done... > > I have a legacy machine that I need to isolate from our LAN. Network access to this machine will be limited to port forwarding of telnet, and a limited FTP access that will only be initiated locally on a proxy machine (which will also run the iptables). > > Let's say that the legacy machine currently has address 10.2.1.100, and I would like my proxy/firewall to have the same address. I will be unplugging the legacy machine from the LAN, then assigning the proxy/firewall the same IP. > > Can I isolate the 100 machine from the LAN, and keep the same IP? I need to do this for failover, so that if the proxy box goes down, I can just unplug the 100 machine from the proxy/firewall, and plug it back into the LAN. I would also be unplugging the proxy/firewall from the LAN at this point. > > Can I port forward telnet from the LAN (eth0) side to the legacy (eth1) side where both the proxy machine and the legacy machine have the same IP but are isolated from each other? Is this impossible? > > Torleiv Ringer > IT Support > Minnesota Public Radio > http://www.mpr.org -- William Chappell, Software Engineer, Critical Technologies, Inc. Suite 400 Technology Center, 4th Floor 1001 Broad Street, Utica, NY 13501 315-793-0248 x148 < bill.chappell@xxxxxxxxxxxx > www.critical.com
