Success (was Transparent Firewalling)
Nathan Le Nevez
npl at acis.com.au
Tue Jan 15 08:56:09 EST 2002
Guys,
Thanks for all your help. I did manage to get it working perfectly. For
those of you who wanted to know how to do it, here is my version:
I have a BSD Gauntlet firewall (which is our gateway machine) sitting on
10.2.1.1, with the LAN on 10.2.1.x (netmask of 255.255.255.0).
I built a new linux box with two ethernet cards, and connected eth0 to the
10.2.1.x network. I disconnected the gateway machine and ran a cross over
cable from it, into eth1 on our new box.
The next step, was to do the Proxy ARP stuff:
echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward
I then have to trick the network into thinking its directly connected to
the gateway, by spoofing the ARP request:
/sbin/arp -i eth0 -Ds 10.2.1.1 eth0 netmask 255.255.255.255 pub
This works in two directions, so I needed to trick the gateway machine
into thinking its directly connected to the LAN:
/sbin/arp -i eth1 -Ds 10.2.1.2 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.3 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.4 eth1 netmask 255.255.255.255 pub
/sbin/arp -i eth1 -Ds 10.2.1.5 eth1 netmask 255.255.255.255 pub
...
(I needed to add one for each machine, because apparently you cant use a
proper netmask with ARP)
Now to get it all working, I needed to flush the ARP caches on all your
machines (this will happen automatically after a few minutes).
I can now ping 10.2.1.1 from any 10.2.1.x machine, and 10.2.1.1 can ping
any other machine.
I didnt need to add any firewalling rules, just some Accounting rules so I
can count bytes going in and out, so I added some IPTables rules like so:
iptables -N 10.2.1.8
iptables -A FORWARD -s 10.2.1.8 -d 0/0 -j 10.2.1.8
iptables -A FORWARD -s 0/0 -d 10.2.1.8 -j 10.2.1.8
iptables -A 10.2.1.8 -i eth0 -o eth1
iptables -A 10.2.1.8 -i eth1 -o eth0
To view the packet counters:
iptables -nL -v -x
Thanks to everyone who provided help!
Cheers,
Nathan
--
____________________________________________
Nathan Le Nevez (nathan.lenevez at acis.com.au)
Australian Corporate Information Solutions
(ACIS Pty Ltd)
Tel. (02) 6122 2102
Fax. (02) 6282 4328
Mob: 0413 411 136
More information about the linux
mailing list