On Wed, February 22, 2006 16:24, Chinh Nguyen wrote: > Hi, > > I have a machine M that is 'walled' off from the rest of the local subnet > similar to this. > > .1 .2 .3 .4-.254 > +-------+ +---------+ > + M + ------ eth1 FW eth0 ---- local subnet > +-------+ +---------+ > > With ip_forward on and using standard forward rules on FW (e.g., -A FORWARD > --in-interface eth1 -j ACCEPT, -A FORWARD --in-interface eth0 -m state > --state ESTABLISHED,RELATED -j ACCEPT), M can reach the local subnet. > > However, I need to add a routing entry in M to send all local traffic to FW. > Otherwise, M will attempt to arp the destination as they are all on same > subnet. > The linux arp man page claims that linux will "automagic proxy arp when a > route exists and it is forwarding". The "linux arp man page"... Not the iptables man page. > Does anyone know how to set up iptables on FW to enable this "automagic"? Aren't you confusing things ? arp != iptables. >From man arp(8) : NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux instead does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details. > I've also tried using explicit forward rules such as "--in eth1 -d !.1 -j > ACCEPT", "--in eth1 -d .4 -j ACCEPT, --in eth1 -d .5 -j ACCEPT, etc." to no > effect. Why is it such a problem to set the default gateway of "M" to the firewall ? You say it works when you add a routing rule for for the firewall, but if the firewall is the only machine that "M" can reach, you might as well use it as default gateway. Gr, Rob
