* Automagic proxy arp?
@ 2006-02-22 15:24 Chinh Nguyen
2006-02-22 16:13 ` Rob Sterenborg
0 siblings, 1 reply; 3+ messages in thread
From: Chinh Nguyen @ 2006-02-22 15:24 UTC (permalink / raw)
To: netfilter
Hi,
I have a machine M that is 'walled' off from the rest of the local subnet
similar to this.
.1 .2 .3 .4-.254
+-------+ +---------+
+ M + ------ eth1 FW eth0 ---- local subnet
+-------+ +---------+
With ip_forward on and using standard forward rules on FW (e.g., -A FORWARD
--in-interface eth1 -j ACCEPT, -A FORWARD --in-interface eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT), M can reach the local subnet.
However, I need to add a routing entry in M to send all local traffic to FW.
Otherwise, M will attempt to arp the destination as they are all on same subnet.
The linux arp man page claims that linux will "automagic proxy arp when a route
exists and it is forwarding".
Does anyone know how to set up iptables on FW to enable this "automagic"?
I've also tried using explicit forward rules such as "--in eth1 -d !.1 -j
ACCEPT", "--in eth1 -d .4 -j ACCEPT, --in eth1 -d .5 -j ACCEPT, etc." to no effect.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Automagic proxy arp? 2006-02-22 15:24 Automagic proxy arp? Chinh Nguyen @ 2006-02-22 16:13 ` Rob Sterenborg 2006-02-22 17:28 ` Chinh Nguyen 0 siblings, 1 reply; 3+ messages in thread From: Rob Sterenborg @ 2006-02-22 16:13 UTC (permalink / raw) To: netfilter On Wed, February 22, 2006 16:24, Chinh Nguyen wrote: > Hi, > > I have a machine M that is 'walled' off from the rest of the local subnet > similar to this. > > .1 .2 .3 .4-.254 > +-------+ +---------+ > + M + ------ eth1 FW eth0 ---- local subnet > +-------+ +---------+ > > With ip_forward on and using standard forward rules on FW (e.g., -A FORWARD > --in-interface eth1 -j ACCEPT, -A FORWARD --in-interface eth0 -m state > --state ESTABLISHED,RELATED -j ACCEPT), M can reach the local subnet. > > However, I need to add a routing entry in M to send all local traffic to FW. > Otherwise, M will attempt to arp the destination as they are all on same > subnet. > The linux arp man page claims that linux will "automagic proxy arp when a > route exists and it is forwarding". The "linux arp man page"... Not the iptables man page. > Does anyone know how to set up iptables on FW to enable this "automagic"? Aren't you confusing things ? arp != iptables. From man arp(8) : NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an entire subnet. Linux instead does automagic proxy arp when a route exists and it is forwarding. See arp(7) for details. > I've also tried using explicit forward rules such as "--in eth1 -d !.1 -j > ACCEPT", "--in eth1 -d .4 -j ACCEPT, --in eth1 -d .5 -j ACCEPT, etc." to no > effect. Why is it such a problem to set the default gateway of "M" to the firewall ? You say it works when you add a routing rule for for the firewall, but if the firewall is the only machine that "M" can reach, you might as well use it as default gateway. Gr, Rob ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Automagic proxy arp? 2006-02-22 16:13 ` Rob Sterenborg @ 2006-02-22 17:28 ` Chinh Nguyen 0 siblings, 0 replies; 3+ messages in thread From: Chinh Nguyen @ 2006-02-22 17:28 UTC (permalink / raw) To: netfilter Rob Sterenborg wrote: > .1 .2 .3 .4-.254 > +-------+ +---------+ > + M + ------ eth1 FW eth0 ---- local subnet > +-------+ +---------+ > The "linux arp man page"... Not the iptables man page. > > >>Does anyone know how to set up iptables on FW to enable this "automagic"? > It turns out the trick is to add an explicit route on the FW to machine M such as "route add -host M/32 dev eth1" whereas the default route to local subnet is eth0. Of course, you must also enable proxy_arp for both eth1 and eth0. Given this configuration, the FW will proxy arp for all machines on local subnet (on eth1), and will proxy arp for M (on eth0). > > Aren't you confusing things ? arp != iptables. >>From man arp(8) : > > NOTE: As of kernel 2.2.0 it is no longer possible to set an ARP entry for an > entire subnet. Linux instead does automagic proxy arp when a route exists and > it is forwarding. See arp(7) for details. > > I only thought the solution may lie in iptables because the only systems related to forwarding in linux that I know of is 1. the ip_forward option in the kernel and 2. iptables can define forwarding rules. As such, I assumed that when the arp man pages write about forwarding enabling automagic proxy arp, it relates to iptables. I also thought about turning FW into a bridge but there may be some degradation because both interfaces with have to be in promiscuous mode. > Why is it such a problem to set the default gateway of "M" to the firewall ? > You say it works when you add a routing rule for for the firewall, but if the > firewall is the only machine that "M" can reach, you might as well use it as > default gateway. Eventually, the subnet where M is sitting will have more than one machines (say, N, O, P). For example, as a DMZ. It would be nice to have M, N, O, and P reach each other as well as the rest of local subnet without adding customized routing rules on each of them. Actually, for a DMZ the configuration would be reversed. You want the local subnet to reach M, N, O, P and not vice versa (by using iptables to only allowing forwarding to start from the eth0 side). In this case, it would not be feasible to add a special route for all the local boxes for M, etc. It looks like I can achieve the same thing by just adding 4 route entries on FW for M, N, O, P. Regards, Chinh ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-02-22 17:28 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-02-22 15:24 Automagic proxy arp? Chinh Nguyen 2006-02-22 16:13 ` Rob Sterenborg 2006-02-22 17:28 ` Chinh Nguyen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.