Re: Firewall IP change

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday 23 July 2004 1:57 pm, FrÃdÃric Gonzatti wrote:

> Hi all,
>
> I've got a big problem with my firewall which have three ethernet cards.
> eth0 : 172.16.2.1/255.255.255.0 ---->LAN
> eth1: 192.168.2.1/255.255.255.0----->DMZ
> eth2: 192.168.3.1/255.255.255.0-----> WAN
>
> This firewall is connect to a router which have Wan IP 192.168.3.254 and a
> public IP for WAN : 62.160.X.X/255.255.255.255
> This configurations is working !!!

This means that your WAN router must be doing SNAT for you on packets to the 
Internet, and the corresponding DNAT on packets coming back again.

> I have tried to replace the Wan IP of my firewall by a public IP :
> 62.160.X.Y # ifconfig eth2 62.160.X.Y netmask 255.255.255.248
> # route add default gw 62.160.X.Z (which is new Ip of the router (WAN and
> LAN interfaces of the router are the same)
>
> I can access to the internet from my firewall but unfortunately not from my
> LAN.
> So now I come back to my old configuration until I ask why it was not
> working. Have you got any idea please ?

Yes; if you want to use your WAN router in bridging mode (which it is if you 
have the same address on both internal and external interfaces) with a public 
IP on your firewall, then you need to SNAT outbound packets (which will 
automatically DNAT reply packets for you too):

iptables -A POSTROUTING -t nat -o eth2 -j DNAT --to 62.160.X.Y

Regards,

Antony.

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux