IP Forwarding: Att: Mike Burger
Mike Burger
mburger at bubbanfriends.org
Wed Sep 15 18:14:23 UTC 2004
On Wed, 15 Sep 2004 menonrr at adelphia.net wrote:
>
> Hello,
>
> I did the 'ip addr' command. The result is as follows:
>
> [root at localhost root]# ip addr
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:60:97:df:8a:82 brd ff:ff:ff:ff:ff:ff
> inet 172.16.4.2/24 brd 172.16.4.255 scope global eth0
>
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link/ether 00:06:5b:b5:86:a9 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.10/24 brd 172.16.3.255 scope global eth1
>
>
> Issue:
>
> Is there a way so that I can forward the packets from the 172.16.4.0 network without having its IP address changed to 172.16.3.10, which is the so called "external interfce" for me.
>
>
> Network set up: (Strictly private)
>
> The redhat 9 gateway forwards traffic between two private networks. The network topology goes like this:
>
> 172.16.8.0/24 ------------ router ----------- 172.16.3.0/24 ------- | Redaht 9 | ------- 172.16.4.0/24
>
> This is a strictly private network setup for doing some tests.
You said you wanted the router/firewall to masquerade as the 172.16.3
address, for systems on the 172.16.4 network. You appear to have the
correct POSTROUTING line.
The "ip addr add" line I gave does not replace the IP of the "external"
interface. It adds an additional, aliased IP to that interface. If you
use the "ip addr add" command that I gave you, then just run "ip addr"
from the command line, you should see that the external interface now has
two IP addresses attached to it, like so (on my own firewall):
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:20:af:6b:27:11 brd ff:ff:ff:ff:ff:ff
inet 69.212.163.242/29 brd 69.212.163.247 scope global eth0
inet 69.212.163.241/32 scope global eth0
inet 69.212.163.243/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:60:67:70:7c:7e brd ff:ff:ff:ff:ff:ff
inet 192.168.0.9/24 brd 192.168.0.255 scope global eth1
Note that my external interface, eth0 in my case, has 3 IPs. The first IP
includes the appropriate netmask, as assigned me by my ISP. The
additional IPs are single IPs, assigned to the interface. The firewall
will act on packets destined for those IPs, according to my firewall
rules, and using POSTROUTING lines like the one you set up, masquerade
outbound connections as one of those IPs.
The point is that if your firewall doesn't have the IP, in question,
assigned to its external interface, it can't masquerade as that IP.
Period.
--
Mike Burger
http://www.bubbanfriends.org
Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org
To be notified of updates to the web site, visit
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a
message to:
site-update-request at bubbanfriends.org
with a message of:
subscribe
More information about the redhat-list
mailing list