Re: Redirecting ports in a bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/21/2008 1:55 AM, Javier Prieto Martínez wrote:
Yes, It's multi-purpose: http://www.eneotecnologia.com/products_en.html?TB_iframe=true&height=510&width=800 - Firewall & QoS. High performance statefull firewall and quality of service. - Web cache & content filter. Black and white list mode with LDAP or AD authentication. - VPN. L2TP / IPSEC – X.509, NAT Traversal and high availability. - IPS / IDS. Snort 2.6 based with hardware acceleration. - Load balancing. LVS based – L3/4 classification, different algorithms. 
- High availability. VRRP (Router mode) and STP (Bridge mode).
- Malware. Antivirus (ClamAV, Kaspersky), antispam (DSPAM, Mailshell), antispyware (Kaspersky, PCTools or Sunbelt) with hardware acceleration. 
- NetFlow probe. NetFlow v5/9 Probe.


*nod*
We use it in bridge mode, mainly for traffic logging, and sometimes for packet filtering.
Ok, to me logging is recording information and filtering is either allowing traffic to pass or not. Based on your original post it sounds like you are wanting to do some re-direction of traffic too. Is this correct?
I still want the bridge to be totally transparent, and I don't want to mess with the real IPs, as I don't want the probe to be a single point of failure. In fact, it's network cards still work as a bridge when the machine is down.
The bridge can not be totally transparent and change things at the same time. If you are having the bridge change things, the network will operate differently with it in verses out of service. Please clarify what you are wanting.
I suppose I should use SNAT, then, as you've stated, but it doesn't seem to work properly. I'm trying that:
# iptables -t nat -A PREROUTING -p tcp -d 192.168.2.1 --dport 80 --to-destination 192.168.2.2:80 -j DNAT # iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 192.168.2.2 -d 192.168.1.0/24 -j SNAT --to-source 192.168.2.1
Remember that IPTables operates on layer 3 and EBTables operates on layer 2. So unless you have your kernel configured to do such, IPTables will not see layer 2 traffic. So, either you need to use EBTables (preferred in my opinion) or you need to configure your kernel so that IPTables sees layer 2 traffic. 



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux