From: Peter Johnson <peter@thejohnsons.com.au>
To: Netfiler E-Mail List <netfilter@lists.netfilter.org>
Subject: Re: Strange setup
Date: 21 Jan 2003 07:42:00 +1100 [thread overview]
Message-ID: <1043095321.24583.78.camel@wizardslair> (raw)
In-Reply-To: <1043049030.24581.76.camel@wizardslair>
ooops ... before too many people comment, the IPs should have been 0-15
and 16-31
On Mon, 2003-01-20 at 18:50, Peter Johnson wrote:
> Ok, gotcha now...
>
> Still do
> ip rule add from $WAN_IP table $WAN_TABLE
> ip rule add from $WLAN_IP table $WLAN_TABLE
> and
> ip route add default via $WAN_PEER_IP dev $WAN_IF table $WAN_TABLE
> ip route add default via $WLAN_PEER_IP dev $WAN_IF table $WLAN_TABLE
>
> Add iptables rules approximately as follows:
>
> $IPTABLES -t nat -A PREROUTING -i $WAN_IF -j DNAT $DMZ_IP_0-16
> $IPTABLES -t nat -A PREROUTING -i $WLAN_IF -j DNAT $DMZ_IP_17-32
>
> $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT $WAN_IP
> $IPTABLES -t nat -A POSTROUTING -o $WLAN_IF -j SNAT $WLAN_IP
>
> $IPTABLES -t filter -A FORWARD -i $WAN_IF -o $DMZ_IF -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i $WLAN_IF -o $DMZ_IF -j ACCEPT
>
> That takes care of the initial connection i.e. SYN packets. The IPTables
> nat table is only used on the initial packet on each connection.
>
> For the actual routing, the only thing that I can think of is assigning
> two IPs (aliases) to each server in the DMZ say .0-16 for WAN and 17-32
> for WLAN then using
>
> $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_0-16 -j MARK --set-mark 1
> and
> $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_17-32 -j MARK --set-mark 2
>
> then add
>
> ip rule add fwmark 1 table $WAN_TABLE
> and
> ip rule add fwmark 2 table $WLAN_TABLE
>
>
> Sorry but that is all I can come up with at the moment.
>
> PJ
>
> --
>
> Quitters never win, and winners never quit, but those who never quit AND
> never win are idiots.
>
>
>
>
--
The truth is out there? Does anyone know the URL?
Homepage: http://www.wizardslair.net
prev parent reply other threads:[~2003-01-20 20:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-19 21:35 Strange setup Evan Borgstrom
2003-01-19 22:00 ` Evan Borgstrom
2003-01-19 22:31 ` Peter Johnson
2003-01-20 0:45 ` Evan Borgstrom
2003-01-20 7:24 ` Peter Johnson
2003-01-20 7:50 ` Peter Johnson
2003-01-20 14:49 ` Evan Borgstrom
2003-01-20 15:01 ` ip_conntrack: table full, dropping packet hare ram
2003-01-20 15:13 ` Maciej Soltysiak
2003-01-24 2:50 ` Strange setup Evan Borgstrom
2003-01-20 20:42 ` Peter Johnson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1043095321.24583.78.camel@wizardslair \
--to=peter@thejohnsons.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.