В Вск, 24/05/2009 в 03:37 -0700, Jesse Molina пишет: > Hello > > I've googled all over and I don't really see an obvious answer to the > question that I have. > > Here is my situation: I have a GNU/Linux host performing very typical > firewall duties; two interfaces, one with an Internet public IP and > another interface on an RFC1918 net. Hosts on the RFC1918 net have > iptables SNATs to public IPs and then I filter to allow some services in > and others not, with stateful inspection in forwarding. > > Normally, in order to get the multiple public IPs for these SNAT'ed > hosts to respond to arp requests from the firewall, I simply add them as > secondary IPs on the public interface of the firewall (eth0:1, eth0:2,...). > > The problem with this is that the firewall itself runs some services and > they have the potential to use these secondary IPs as their ephemeral > source addresses when they reach out to something on the Internet! > That's bad, as those IPs should be exclusively used by only the hosts > for which they were designed for. Assume I have no control over the > applications which bind to a local interface to use for their outbound > session traffic. Did you try to explicitely SNAT localy generated traffic to the right address? It seem a solution for your task. You can do this for all or selectively by -m owner. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
