Re: How do we arp for NAT? Secondary IPs, proxy arp? something else?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jesse Molina wrote:

Hello

I've googled all over and I don't really see an obvious answer to the question that I have.

Here is my situation: I have a GNU/Linux host performing very typical firewall duties; two interfaces, one with an Internet public IP and another interface on an RFC1918 net. Hosts on the RFC1918 net have iptables SNATs to public IPs and then I filter to allow some services in and others not, with stateful inspection in forwarding.

Normally, in order to get the multiple public IPs for these SNAT'ed hosts to respond to arp requests from the firewall, I simply add them as secondary IPs on the public interface of the firewall (eth0:1, eth0:2,...).

The problem with this is that the firewall itself runs some services and they have the potential to use these secondary IPs as their ephemeral source addresses when they reach out to something on the Internet! That's bad, as those IPs should be exclusively used by only the hosts for which they were designed for. Assume I have no control over the applications which bind to a local interface to use for their outbound session traffic.

Packets that originate on the firewall machine itself go through the
OUTPUT chain.  Forwarded packets from the RFC1918 net do not.  Block
the packets in the OUTPUT chain of the filter table.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux