Wouldn't it be better to run HA linux (www.linux-ha.org) which was meant for failover? Otherwise put the 2 machine on a DMZ and DNAT to the live one until it falls over and then flick to the back machine...???? no??? Thanks, ____________________________________________ George Vieira Systems Manager georgev@xxxxxxxxxxxxxxxxxxxxxx Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au > -----Original Message----- > From: Ringer, Torleiv [mailto:tringer@xxxxxxx] > Sent: Friday, 17 October 2003 8:02 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Isolate a legacy machine > > > Hi there, > > I am not exactly sure how this needs to be done... > > I have a legacy machine that I need to isolate from our LAN. > Network access to this machine will be limited to port > forwarding of telnet, and a limited FTP access that will only > be initiated locally on a proxy machine (which will also run > the iptables). > > Let's say that the legacy machine currently has address > 10.2.1.100, and I would like my proxy/firewall to have the > same address. I will be unplugging the legacy machine from > the LAN, then assigning the proxy/firewall the same IP. > > Can I isolate the 100 machine from the LAN, and keep the same > IP? I need to do this for failover, so that if the proxy box > goes down, I can just unplug the 100 machine from the > proxy/firewall, and plug it back into the LAN. I would also > be unplugging the proxy/firewall from the LAN at this point. > > Can I port forward telnet from the LAN (eth0) side to the > legacy (eth1) side where both the proxy machine and the > legacy machine have the same IP but are isolated from each > other? Is this impossible? > > Torleiv Ringer > IT Support > Minnesota Public Radio > http://www.mpr.org > > >
