Success (was Transparent Firewalling)

Nathan Le Nevez npl at
Tue Jan 15 08:56:09 EST 2002


Thanks for all your help. I did manage to get it working perfectly. For 
those of you who wanted to know how to do it, here is my version:

I have a BSD Gauntlet firewall (which is our gateway machine) sitting on, with the LAN on 10.2.1.x (netmask of 

I built a new linux box with two ethernet cards, and connected eth0 to the 
10.2.1.x network. I disconnected the gateway machine and ran a cross over 
cable from it, into eth1 on our new box. 

The next step, was to do the Proxy ARP stuff:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

I then have to trick the network into thinking its directly connected to 
the gateway, by spoofing the ARP request:

/sbin/arp -i eth0 -Ds eth0 netmask pub

This works in two directions, so I needed to trick the gateway machine 
into thinking its directly connected to the LAN:

/sbin/arp -i eth1 -Ds eth1 netmask pub
/sbin/arp -i eth1 -Ds eth1 netmask pub
/sbin/arp -i eth1 -Ds eth1 netmask pub
/sbin/arp -i eth1 -Ds eth1 netmask pub

(I needed to add one for each machine, because apparently you cant use a 
proper netmask with ARP)

Now to get it all working, I needed to flush the ARP caches on all your 
machines (this will happen automatically after a few minutes).

I can now ping from any 10.2.1.x machine, and can ping 
any other machine. 

I didnt need to add any firewalling rules, just some Accounting rules so I 
can count bytes going in and out, so I added some IPTables rules like so:

iptables -N
iptables -A FORWARD -s -d 0/0 -j
iptables -A FORWARD -s 0/0 -d -j
iptables -A -i eth0 -o eth1
iptables -A -i eth1 -o eth0

To view the packet counters:

iptables -nL -v -x

Thanks to everyone who provided help!




Nathan Le Nevez (nathan.lenevez at
Australian Corporate Information Solutions
(ACIS Pty Ltd)
Tel. (02) 6122 2102
Fax. (02) 6282 4328
Mob: 0413 411 136

More information about the linux mailing list