Re: IP Forwarding: Att: Mike Burger

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 15 Sep 2004 menonrr@xxxxxxxxxxxx wrote:

> 
> Hello,
> 
> I did the 'ip addr' command. The result is as follows:
> 
> [root@localhost root]# ip addr
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:60:97:df:8a:82 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.4.2/24 brd 172.16.4.255 scope global eth0
> 
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:06:5b:b5:86:a9 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.3.10/24 brd 172.16.3.255 scope global eth1
> 
> 
> Issue:
> 
> Is there a way so that I can forward the packets from the 172.16.4.0 network without having its IP address changed to 172.16.3.10, which is the so called "external interfce" for me.
> 
> 
> Network set up: (Strictly private)
> 
> The redhat 9 gateway forwards traffic between two private networks. The network topology goes like this:
> 
> 172.16.8.0/24 ------------ router ----------- 172.16.3.0/24 ------- | Redaht 9 | ------- 172.16.4.0/24
> 
> This is a strictly private network setup for doing some tests.

You said you wanted the router/firewall to masquerade as the 172.16.3 
address, for systems on the 172.16.4 network.  You appear to have the 
correct POSTROUTING line.

The "ip addr add" line I gave does not replace the IP of the "external" 
interface.  It adds an additional, aliased IP to that interface.  If you 
use the "ip addr add" command that I gave you, then just run "ip addr" 
from the command line, you should see that the external interface now has 
two IP addresses attached to it, like so (on my own firewall):

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:20:af:6b:27:11 brd ff:ff:ff:ff:ff:ff
    inet 69.212.163.242/29 brd 69.212.163.247 scope global eth0
    inet 69.212.163.241/32 scope global eth0
    inet 69.212.163.243/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:67:70:7c:7e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.9/24 brd 192.168.0.255 scope global eth1

Note that my external interface, eth0 in my case, has 3 IPs.  The first IP 
includes the appropriate netmask, as assigned me by my ISP.  The 
additional IPs are single IPs, assigned to the interface.  The firewall 
will act on packets destined for those IPs, according to my firewall 
rules, and using POSTROUTING lines like the one you set up, masquerade 
outbound connections as one of those IPs.

The point is that if your firewall doesn't have the IP, in question, 
assigned to its external interface, it can't masquerade as that IP.  
Period.

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request@xxxxxxxxxxxxxxxxx

with a message of: 

subscribe


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux