From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Frederiksen Date: Tue, 25 Oct 2005 22:03:25 +0000 Subject: Re: [LARTC] Ip Src rewite. Message-Id: <435EABAD.4010003@cyberdoc.dk> List-Id: References: <435E26E3.2080204@cyberdoc.dk> In-Reply-To: <435E26E3.2080204@cyberdoc.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Oscar Mechanic wrote: > So you want packets leaving the WAN to have address e.f.g.h/26 rather > than a.b.c.d/30 > > That would mean you ISP has assigned you the two ranges e.f.g.h and > a.b.c.d. Well, yes my ISP has assigned me the two "classes", however the a.b.c.d/30 is a single IP through which the e.f.g.h/26 are routed through. The ISP is not routing the e.f.g.h/26 directly to the line, but through the single WAN IP a.b.c.e/30.. This is why all traffic going through is touched and marked as coming from the WAN instead of the External IP address. Any suggestions to solving that?. /Daniel > > Your gateway cannot be a gateway from this diagram > > That must be e.f.g.h/27 GW has > e.f.g.h/27 and e.f.g.h/26 interfaces > >>>> DMZ GW/FW ISP/Internet >>>>----------------------------------------------------------------------- >>>> Server #1 --| >>>> e.f.g.h3/26 | >>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>> e.f.g.h4/26 e.f.g.h1/26 >>>>---------------------------------------------------------------------- > > > I would assume what you will end up doing is > > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > iptables -t nat -A POSTROUTING -m mac-source -j SNAT --to- > source > > Where ALIAS1 and ALIAS2 are the IP's of server 1 and server 2 aliased on > the firewall > > Regards > Shane > > On Tue, 2005-10-25 at 14:58 +0200, Daniel Frederiksen wrote: > >>Oscar Mechanic wrote: >> >>>Maybe I have missed somthing and you need to do it in POSTROUTING but >>>how about SNAT. >>> >> >>Well currently I do not NAT at all. I have ip_forwarding enabled and >>have assigned the first IP from the external block on the inside of the >>Gateway/Firewall. On the outside of the Gateway/Firewall I have assigned >>the WAN IP. This way when a system on the DMZ establishes a connection >>it is forwarded through the Gateway. >> >>Any suggestions to changes are appreciated. >> >>/Daniel.. >> >> >>>PS: ip can do stateless nat. >>> >>>On Tue, 2005- >>>10-25 at 14:36 +0200, Daniel Frederiksen wrote: >>> >>> >>>>Hello folks.. >>>> >>>>Does any of you know if it is possible to rewrite the ip src in a packet. >>>>I have a problem involving a DMZ with external IP addresses routed >>>>trough a single WAN IP. When the server initiates a connection, it looks >>>>like it comes from the WAN ip instead of it's designated External IP >>>>routed through the WAN. >>>>So in short, Is it possible to rewrite the packet in the router, with >>>>Iptables, to make it look like it comes from the external IP address >>>>instead of the WAN IP of the router/firewall. >>>> >>>>Thank you very much for your time, I appreciate it. >>>> >>>>/Daniel Frederiksen >>>> >>>> >>>>NB: Small diagram of the setup. >>>> >>>> DMZ GW/FW ISP/Internet >>>>----------------------------------------------------------------------- >>>> Server #1 --| >>>> e.f.g.h3/26 | >>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>> e.f.g.h4/26 e.f.g.h1/26 >>>>---------------------------------------------------------------------- >>>> >>>>_______________________________________________ >>>>LARTC mailing list >>>>LARTC@mailman.ds9a.nl >>>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >>> >>> >> >>_______________________________________________ >>LARTC mailing list >>LARTC@mailman.ds9a.nl >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc