From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: Yaron Presente <ypresente@mrv.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: DNAT & ARP
Date: Mon, 19 Jul 2004 06:52:28 -0400 [thread overview]
Message-ID: <1090234023.27791.10.camel@localhost> (raw)
In-Reply-To: <40FA4845.8030802@mrv.com>
On Sun, 2004-07-18 at 05:52, Yaron Presente wrote:
> Hi All,
> I have a linux box (Montavista 2.4.18), which is connected to the
> external world through an IP subnet A.
> I want to DNAT this subnet A to a private subnet B, and to do this I
> need to support proxy arp for hosts in class A, which don't actually exist.
> My problems are all ARP related:
> 1. I want to reply on ARP requests for hosts on subnet A. looking at the
> arp code in net/ipv4/arp.c, it seems that
> this should have been the default behaviour (i.e
> (rt->rt_flags&RTCF_DNAT) behaves the same as if a proxy arp was defined
> on the interface). However, testing shows that the linux doesn't reply.
> why ?
> 2. To overcome the first problem, I can enable proxy arp explicitly.
> However, proxy arp does not answer to requests if the
> routing lookup shows that the target is located on the incoming
> interface of the request. any ideas?
> 3. If there are real hosts of subnet A on my external interface, I do
> not want to serve as proxy arp for them.
> is there a way to define these exceptions to the proxy arp? can I set a
> big proxy_delay in /proc and hope that the real host would
> answer before my proxy?
> Any help would be appreciated.
> Thanks,
> Yaron
If I understand you correctly, it is a pretty straightforward DNAT with
exactly the proxy ARP issues you describe. I typically handle this by
binding the DNAT address to the public NIC using iproute2. For example,
if I NAT 10.1.1.5 to 1.1.1.5, I have the appropriate DNAT rule in
iptables and then do a
ip address add 1.1.1.5/24 brd + dev eth0
or whatever parameters are appropriate. I'm not sure if the brd + is
necessary if I already have an address for the same subnet bound to the
NIC. Perhaps someone else can comment.
Once ISCS is available (http://iscs.sourceforge.net), it will
automatically handle the ARP configuration when you assign a public
address to a private host. In fact, that code works now along with
almost all the access control portion. Good luck with it - John
--
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com
next prev parent reply other threads:[~2004-07-19 10:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-18 9:52 DNAT & ARP Yaron Presente
2004-07-19 10:52 ` John A. Sullivan III [this message]
2004-07-19 14:16 ` Yaron Presente
2004-07-19 14:55 ` John A. Sullivan III
2004-07-19 15:31 ` Yaron Presente
2004-07-19 15:40 ` John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1090234023.27791.10.camel@localhost \
--to=jsullivan@opensourcedevelopmentcorp.com \
--cc=netfilter@lists.netfilter.org \
--cc=ypresente@mrv.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.