Use internal IP as srcaddr for packets on outside interface
Christopher Hicks
chicks at chicks.net
Thu Jan 29 16:45:44 UTC 2004
I have a Red Hat Fedora Core 1 based firewall doing some iptables
filtering and ntop between our public network and a few T1 and DSL
routers. I've been quite happy with this setup through various Red Hat
revisions. We just brought up a T1 with a new provider (Cavalier) that
I've made the default route. This provider doesn't want to give us any
IP's because we have a historic class C block - 205.166.143/24. My
current IP assignments look like:
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:23:08:7a:40 brd ff:ff:ff:ff:ff:ff
inet 216.36.104.3/29 brd 216.36.104.7 scope global eth0
inet 10.9.8.1/24 brd 10.9.8.255 scope global eth0:4
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:23:08:7a:41 brd ff:ff:ff:ff:ff:ff
inet 205.166.143.254/24 brd 205.166.143.255 scope global eth1
The 10.9.8 block is what I'm using to let the routers talk to each other.
When switching the default route over to the T1, all of my firewall's
outgoing packets get a source address of 216.36.104.3 which the T1 doesn't
recognize because it's an IP from a different provider. Since the
firewall doesn't need to connect out anywhere this isn't show stopping,
but it'd be much better if it could connect out.
Red Hat's documentation says you can define a SRCADDR= in the interface
config to force the source address on packets to be something different,
but when I tried SRCADDR=205.166.143.254 it spewed errors.
Any suggestions?
--
</chris>
No, no, you're not thinking, you're just being logical.
-Niels Bohr, physicist (1885-1962)
More information about the fedora-list
mailing list