OK, That's exactly what I'm trying to do and the idea is interesting.
However, there are 2 problems that I currently see in this solution:
a. I need to know exactly which hosts of the 1.1.1.0/24 are fake and to explicitly
define them on eth0. I cannot add the whole range because I may get into conflict
with real 1.1.1.0/24 hosts that are located on my eth0 interface.
b. because there are many secondaries on eth0 that belong to the same subnet,
I can not guarantee that my host will always use the right one (1.1.1.5) to talk to the outer world.
Am I right?
Yaron
John A. Sullivan III wrote:
Yes, I think there is some misunderstanding there. My apologies. Let me be a little more specific.
Let's assume that you have a gateway with a public address of 1.1.1.5 on the network 1.1.1.0/24 and bound to interface eth0 and that it protects the private network 10.1.1.0/24 with a second interface, eth1, to which is bound the private address 10.1.1.1. Now let's also say that I have internal hosts at 10.1.1.8, 10.1.1.3, 10.1.1.6 and 10.1.1.13. I wish to NAT these to the world at the addresses 1.1.1.8,1.1.1.3, 1.1.1.6 and 1.1.1.13 respectively. Is that what you are trying to do?
To do so, I would create a script on the NAT gateway to run the commands:
ip address add 1.1.1.8/24 brd + dev eth0 ip address add 1.1.1.3/24 brd + dev eth0 ip address add 1.1.1.6/24 brd + dev eth0 ip address add 1.1.1.13/24 brd + dev eth0
eth0 will now respond to ARP requests for all those addresses as well as 1.1.1.5. The subsequent packets will be dutifully passed to netfilter which will NAT them to 10.1.1.8, 10.1.1.3, 10.1.1.6 and 10.1.1.13 and route them on their way (assuming forwarding is enabled).
I hope I have not misunderstood what you are trying to do - John
On Mon, 2004-07-19 at 10:16, Yaron Presente wrote:
Hi John,
Thanks for your reply.
However, I'm not sure that it solves my problem (unless I
misunderstood you).
Looking at your numeric example, let's say that I want to DNAT from
10.1.1.0/24 to 1.1.1.0/24,
and that my public interface address is 10.1.1.5. I need to reply to ARP for all hosts in 10.1.1.0/24, but without proxy
arp I will only reply to my own address 10.1.1.5.
I don't think that adding the private range (1.1.1.0/24) to the public
interface will do any good :(
Thanks,
Yaron
John A. Sullivan III wrote:
On Sun, 2004-07-18 at 05:52, Yaron Presente wrote:--
Hi All,If I understand you correctly, it is a pretty straightforward DNAT with
I have a linux box (Montavista 2.4.18), which is connected to the external world through an IP subnet A.
I want to DNAT this subnet A to a private subnet B, and to do this I need to support proxy arp for hosts in class A, which don't actually exist.
My problems are all ARP related:
1. I want to reply on ARP requests for hosts on subnet A. looking at the arp code in net/ipv4/arp.c, it seems that
this should have been the default behaviour (i.e (rt->rt_flags&RTCF_DNAT) behaves the same as if a proxy arp was defined
on the interface). However, testing shows that the linux doesn't reply. why ?
2. To overcome the first problem, I can enable proxy arp explicitly. However, proxy arp does not answer to requests if the
routing lookup shows that the target is located on the incoming interface of the request. any ideas?
3. If there are real hosts of subnet A on my external interface, I do not want to serve as proxy arp for them.
is there a way to define these exceptions to the proxy arp? can I set a big proxy_delay in /proc and hope that the real host would
answer before my proxy?
Any help would be appreciated.
Thanks,
Yaron
exactly the proxy ARP issues you describe. I typically handle this by
binding the DNAT address to the public NIC using iproute2. For example,
if I NAT 10.1.1.5 to 1.1.1.5, I have the appropriate DNAT rule in
iptables and then do a
ip address add 1.1.1.5/24 brd + dev eth0
or whatever parameters are appropriate. I'm not sure if the brd + is necessary if I already have an address for the same subnet bound to the NIC. Perhaps someone else can comment.
Once ISCS is available (http://iscs.sourceforge.net), it will
automatically handle the ARP configuration when you assign a public
address to a private host. In fact, that code works now along with
almost all the access control portion. Good luck with it - John
Yaron Presente
MRV International
Direct : 972-4-9936237
Fax : 972-4-9890564
Email : ypresente@xxxxxxx
www.mrv.com
-- Yaron Presente MRV International Direct : 972-4-9936237 Fax : 972-4-9890564 Email : ypresente@xxxxxxx www.mrv.com
