Re: [LARTC] Q: Routing the Same IP simultaneously on

["Taylor, Grant" <gtaylor@riverviewtech.net>]

Hmm, interesting question with a meriod of answers, some more complex than others.  One point of contention though is that I have never seen a router that would forward the traffic on internally to a system on the LAN with the external globally rout able IP of the router.  All the routers that have the concept of a DMZ host in them redirect the traffic to a system on the internal LAN with an IP on the internal subnet.  This latter approach is the direction that I will go, if you do want the former let me know and I'll chew on it for a while.

I would initially attempt to use a standard basic NATing firewall (no frills or sanity checks here).

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t filter -F INPUT
iptables -t filter -F FORWARD
iptables -t filter -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -t nat -F POSTROUTING

# eth0 will be the internet connection
# eth1 will be the LAN connection.

iptables -t filter -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -o eth0 -j ACCEPT

#
# If you have any services that you want to be port forwarded to systems other than the DMZ server
# you will need to list them here.
#
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination $IP_of_other_system

#
# This is the line that I'm not sure about and would have to test as I'm not sure it will do what I think.
#
iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -j DNAT --to-destination $IP_of_DMZ_server

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This is completely untested code so test it at your own risk.  This is what I would try out of the gate though.



Grant. . . .

John Wigley wrote:
> Hi,
> 
> I've asked this elsewhere and received hints but no one seems to have a
> concrete explanation :-
> 
> What I am looking to do is to be able to configure a Linux based router to
> be able to share THE SAME SINGLE Public IP address between the linux
> router and a
> single computer on the lan acting as the DMZ host (NOT normal NAT IP
> sharing !).
> 
> So basically you have a linux router with two network ports, WAN and LAN.
> The router takes the single ISP assigned public IP address for it's WAN
> interface and then uses a non routable subnet for the LAN port. There are a
> number of machines on the LAN segment and the linux router is performing
> NAT
> for them so that they have internet connectivity - so far this is a
> standard
> normal setup.
> 
> Now what I want to do is to simultaneously assign that SAME PUBLIC IP
> address onto one of the LAN computers so that it for all intents and
> purposes is a DMZ host.
> 
> Before anyone says that this is mad and that it can't be done, it can be
> done perfectly well and all WESTELL ADSL / Ethernet routers have this
> functionality along with some no name Far Eastern origin broadband routers
> based on a Conexant OEM reference design.
> 
> Having thought long and hard about how to do this but not knowing 
> NetFilter
> at all, I realised that the way this must be done is for the router to
> perform a standard NAT function with the added functions of tracking all
> outgoing connections from the DMZ host and entering those into the NAT
> table
> as well, so that it doesn't try to do a Port Address Translation on top of
> an existing outgoing connection from the DMZ host. For incoming
> connections,
> if the incoming packet has a reference in the NAT table then it is directed
> to the originating LAN machine and if not is passed through unmodified to
> the DMZ host.
> 
> I have spent much time googling and reading list postings but cannot find
> any reference on how to do this under linux, my guess is that Proxy ARP
> needs to be enabled on the LAN interface and then a 1:1 POST NAT mapping
> set
> to remap all the packets for the DMZ host back to the original public IP
> address but after that I'm stuck.
> 
> This is an incredibly useful feature which I've used on the Westell routers
> for some time, but now want to move to a Linux based router to be able
> to do
> QOS, as it allows all the benefits of NAT for sharing a single IP address
> but also the benefits of a routed connection for NAT unaware applications
> like IPSEC AH, and some VOIP implementations.
> 
> Any advice on setting this up would be much appreciated,
> 
> Thanks,
> 
> John Wigley

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc