[clug] iptables and proxyarp

Daniel Pittman daniel at rimspace.net
Mon Nov 17 06:27:22 GMT 2008

jm <jeffm at ghostgun.com> writes:

> The last time I played with proxyarp it was with ppp a number of years
> ago. Now, I'm looking at it to get me around a problem with
> firewalling. The problem is that the friewall, a linux box, was added
> after some routing decisions were made and key servers were added, not
> all of which are under my control. This has me thinking that if the
> firewall can be convinced to do proxyarp and pretend to be the servers
> and forward the packets onto the server that I can place the servers
> behind the protection of the firewall without having to introduce
> twisted routing. Has anyone done this or know if this is feasible?

Yes, and yes, although it is strongly preferable to use normal routing
rather than proxy ARP if you can possibly avoid it.

The Linux Advanced Routing and Traffic Control HOWTO should cover any
questions you have about getting it working.

For what it is worth, though, I strongly advocate that you negotiate
with the folks responsible for the boxes, regardless of which path you

Any other path, in my experience, will lead to the owners of the systems
being both surprised and unhappy about the change.  I would, for
example, certainly not be happy if it was a system I was responsible for
that suddenly grew a firewall...


More information about the linux mailing list