Transparent Firewalling

andrew at andrew at
Sun Jan 13 19:23:04 EST 2002

On Sun, 13 Jan 2002, Howard Lowndes wrote:

> Simply, without any firewalling, etc. on a double homed box, eth0 and eth1
> echo 1 >/proc/sys/net/ipv4/ip_forward
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> iptables -A FORWARD -i eth0 -o eth1
> iptables -A FORWARD -i eth1 -o eth0

That will route and account, sure, but it isn't transparent.

> On Sun, 13 Jan 2002, Nathan Le Nevez wrote:
> > I need to be able to set this up without
> > changing the configuration of any other machines.

e.g.  You have a gateway of (which you can't reconfigure), and a
couple of hundred computers all using it as a gateway.

Transparent means you can unplug the ethernet cable from that gateway,
plug it into your linux box, and plug another cable from (another NIC in)
the linux box to the gateway, and not change any configuration anywhere.

Dunno how one would go about achieving something like this, but I'm
interested in finding out too.  You'd need the network side of the linux
box to have the same ip as the gateway (so you receive the packets bound
for the gateway) - dunno what ip you could give the other interface - and
somehow set routing up so that packets *addressed to you* get sent out the
other interface, to the old gateway.  Either that or set both cards to
promiscuous mode, and have a sniffer reading packets and copying them out
the other side.

The reason I'm interested in finding out how to set something like this up
is, like many people, I have a linux box doing NAT between my home network
and the rest of the world, and I'd like to be able to play with <horrible
nasty closed-source proprietary protocol that doesn't work through NAT>.
I reckon I should be able to do this by setting my desktop box up to use
my external IP address (so the right address gets encoded in this shitty
protocol), having my NAT box somehow accept packets from it and forward
them out to the big bad internet, and also have it forward all ports it's
not using itself (for other NATted connections or the ssh server) back to
the desktop box (without any natting).  Desktop box now looks like it's on
the net all by iteelf, except that other boces on the network can be
natted out and back too.

So, any ideas?


More information about the linux mailing list