IP Forwarding: Att: Mike Burger

Mike Burger mburger at bubbanfriends.org
Wed Sep 15 18:14:23 UTC 2004 

On Wed, 15 Sep 2004 menonrr at adelphia.net wrote:

> 
> Hello,
> 
> I did the 'ip addr' command. The result is as follows:
> 
> [root at localhost root]# ip addr
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:60:97:df:8a:82 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.4.2/24 brd 172.16.4.255 scope global eth0
> 
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:06:5b:b5:86:a9 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.3.10/24 brd 172.16.3.255 scope global eth1
> 
> 
> Issue:
> 
> Is there a way so that I can forward the packets from the 172.16.4.0 network without having its IP address changed to 172.16.3.10, which is the so called "external interfce" for me.
> 
> 
> Network set up: (Strictly private)
> 
> The redhat 9 gateway forwards traffic between two private networks. The network topology goes like this:
> 
> 172.16.8.0/24 ------------ router ----------- 172.16.3.0/24 ------- | Redaht 9 | ------- 172.16.4.0/24
> 
> This is a strictly private network setup for doing some tests.

You said you wanted the router/firewall to masquerade as the 172.16.3 
address, for systems on the 172.16.4 network.  You appear to have the 
correct POSTROUTING line.

The "ip addr add" line I gave does not replace the IP of the "external" 
interface.  It adds an additional, aliased IP to that interface.  If you 
use the "ip addr add" command that I gave you, then just run "ip addr" 
from the command line, you should see that the external interface now has 
two IP addresses attached to it, like so (on my own firewall):

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:20:af:6b:27:11 brd ff:ff:ff:ff:ff:ff
    inet 69.212.163.242/29 brd 69.212.163.247 scope global eth0
    inet 69.212.163.241/32 scope global eth0
    inet 69.212.163.243/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:60:67:70:7c:7e brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.9/24 brd 192.168.0.255 scope global eth1

Note that my external interface, eth0 in my case, has 3 IPs.  The first IP 
includes the appropriate netmask, as assigned me by my ISP.  The 
additional IPs are single IPs, assigned to the interface.  The firewall 
will act on packets destined for those IPs, according to my firewall 
rules, and using POSTROUTING lines like the one you set up, masquerade 
outbound connections as one of those IPs.

The point is that if your firewall doesn't have the IP, in question, 
assigned to its external interface, it can't masquerade as that IP.  
Period.

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request at bubbanfriends.org

with a message of: 

subscribe

More information about the redhat-list mailing list