Re: Routing decision?

[Ray Leach <raymondl@knowledgefactory.co.za>]

[-- Attachment #1: Type: text/plain, Size: 1792 bytes --]

On Mon, 2003-09-15 at 15:31, Cedric Blancher wrote:
> Le lun 15/09/2003 à 15:09, Ray Leach a écrit :
> > I think that the aliases on the interface have something to do with it.
> 
> Nope.
> When you DNAT an IP address that does not belong to your DNATing box,
> there won't be anybody to answer prior router ARP requests on it, unless
> you either set an alias up or tell this router that the IP as to get
> routed through the DNATing box.
> 
> > I have had to add input and output rules in some situations to get DNAT
> > to work the way it is supposed to (redirect to a different destination).
> > It is strange.
> 
> Yes it is. I can get DNAT working without specifying any INPUT or OUTPUT
> chain. Can you illustrate a situation for which you have to specify
> INPUT and OUTPUT rules ?
Sure.

My firewall machine currently has 5 NICs, each with their own ip (one
has a public ip - eth0)
eth0 has the public ip. It also has 10 alias ips.
eth1 has a private ip of 192.168.1.1.
eth1 network is my dmz with all the web servers from 192.168.1.165 to
192.168.1.173.

If I want to DNAT incoming traffic destined to on of the aliases bound
to interface eth0 to a server in the dmz - eth1 192.168.1.165 (for
example), then I need :

 - a PREROUTING DNAT rule
 - a FORWAORD rule for each direction (eth0 -> eth1 and eth1 -> eth0)
 - and an INPUT rule for eth0 alias ip.

Does that make sense?

If I remove the INPUT rule, my DNAT does not work, the packets get sent
to the OUTPUT chain ...

Ray

-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]