From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Chris Bennett" Date: Sun, 31 Oct 2004 17:32:43 +0000 Subject: Re: [LARTC] Howto route through Message-Id: <000701c4bf6f$a1010450$050ea8c0@DELTA> List-Id: References: <41850B0D.9000409@draxinusom.ch> In-Reply-To: <41850B0D.9000409@draxinusom.ch> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org What I do is have the linux box claim all of the public IPs as its own, and= =20 then use IPTABLES to DNAT/SNAT to/from private IPs as needed. You can=20 dedicate a public IP to a specific private IP, so the computer on your=20 network with that private IP appears to all of the world as if it actually = has the public IP. This has the added advantage that if your public IPs=20 change for some reason, you just need to update IPTABLEs and the computers = on your network will only need slight (if any) tweaking. In this setup, all of your public IPs are on one ethernet port, and all of = your private IPs are on the other. If you desire, you can give one of the = public IPs to the linux box itself (though for security reasons, I=20 personally do not do this... in fact, the only traffic I let the linux box = pass to the internet is forwarded packets... nothing originating from=20 itself). This may be what you had in mind when you considered the option of a=20 transparent bridge... ----- Original Message -----=20 From: "Rene Gallati" To: Sent: Sunday, October 31, 2004 9:55 AM Subject: [LARTC] Howto route through > Hello list, > > I'm having a little trouble imagining a setup I'll soon have. > > I am in the process of getting a routed /28 to my homeLAN. What I want to= =20 > do is to put a linux box in front of the lan to filter some of the=20 > unneeded and potential dangerous ports. Now the box has 2 nics, one for=20 > the inside one for the outside. > > How should I go on to setup those NICs when > a) the PCs in the net should have their official IP address from the /28 = > net > and > b) the filtering linux box should at the same time have one IP address=20 > from the same range for some services it provides > > The dilemma I see (maybe it is none but I just don't know) > if I put it this way that I have the IP of the /28er range on one nic and= =20 > nothing to put on the other ? > > Example: Range is 1.2.3.0/28 (1.2.3.0 - 1.2.3.15) > > eth0: 1.2.3.1 eth1: ??? > ---- Internet ------- FW Box ------ LAN (1.2.3.0/28) > > The FW box should be reachable by both the hosts in the LAN as well as=20 > from the internet using the assigned IP. Don't I run into troubles having= =20 > an IP on one NIC which does belong to a net that is located on the side o= f=20 > another NIC ? > > I know that the most specific entry (full IP) overrides or wins over the = > less specific ones (the net) but does this setup work so that the LAN=20 > clients can access the FW box just like every other host on the internet?= =20 > How do I configure eth1 ? Just bring it up without any IP at all? > > Or should I better make the FW box a transparent bridge for the filtering= =20 > with one IP where it reacts itself ? > > Thanks for all hints > > CU > > Ren=E9 > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >=20 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/