Re: forwarding on the same NIC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

alucard@xxxxxxxxx wrote: 
Anyone could help? the thing is that, this second webserver is using and
aplication that we use internally and, what I'm trying to do here is,
access the web configuration service from the outside using our existing
server, which is the only one nat'ed', so our other offices can access it.
Since the second server is a production server, there's no way we can
change it's IP and use a subnet.

I wasn't following this discussion too closely. However after reading what John wrote, I'd guess that your first box is also generating ICMP redirect packets back to the router. Reasoning why I believe that it is generating them is that the packet has arrived on the same physical interface where it is supposed to be routed out. This is exactly the situation where routers (by default) generate ICMP redirects. So even if you get your box to start routing, you might need to turn off generation of ICMP redirects on first Linux box (send_recirects, or something like that).

I guess that router is actually at your end (not ISP end), and it is one of those small cheap boxes where you connect ADSL or cable, so it has public IP address on one end, and is doing NAT for the internal network (and your Linux box is assigned to do firewalling). If this is the case, you can solve it a simple way by putting second NIC in your first Linux box and assign it different network. So you would end up with something like this:

                  +-------------+
                  |     ISP     |
                  +-------------+
                         |
                         |
                         | ISP assigned public IP
                  +-------------+
                  |   router    |
                  +-------------+
                         | 192.168.1.1
                         |
                         | 192.168.1.2
                  +-------------+
                  |  Linux box  |
                  +-------------+
                         | 10.73.219.156
                         |
                         | 10.73.219.77
                  +-------------+
                  | 2nd Web srv |
                  +-------------+

Router will have default route pointing to ISP, Linux box will have default route pointing to router, and 2nd web server to your Linux box. You will be doing NAT twice, once in the router, and again in the Linux box. You can get away with only one NAT if you want, of course. The 192.168.0.0/16 will become your future DMZ network, and your internal network (10.0.0.0/8) will be deep inside. I've used 192.168 for DMZ to avoid guessing what you already used from 10.

To enhance security, you might start making plans to move 2nd Web server into the DMZ (change of IP address) as some future project, but you don't have to do it right away.

Anyhow, you've got the idea, you only need to adjust it for your environment.

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux