* Re: [LARTC] 2-NIC DMZ?
2002-10-28 16:27 [LARTC] 2-NIC DMZ? Justin Richer
@ 2002-10-28 18:27 ` Lars Munch
2002-10-28 21:06 ` Lars Munch
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Lars Munch @ 2002-10-28 18:27 UTC (permalink / raw)
To: lartc
Hi
AFAIK, you can do all of this by using FIAIF:
http://fiaif.fugmann.dhs.org/
which is a VERY nice and highly customizable script for setting up an
iptables based firewall. It has traffic shaping too.
Regards
Lars Munch
On Mon, Oct 28, 2002 at 11:27:37AM -0500, Justin Richer wrote:
> Hi all,
>
> I have two static IPs from my ISP. I would like one of these IPs to be
> directed to my desktop box all the time, and the other to be directed to a
> DHCP-served NAT network. I've nearly gotten it working using iptables and
> iproute2, but one problem is that i would like packets coming from my
> desktop box via the firewall to be printed with my desktop's external IP.
> They are currently being seen as from the NAT-hosted IP, which is the main
> IP address of the firewall box's external NIC. My setup looks like this:
>
> DSL Bridge -> [eth0] Firewall [eth1] -> 8-port-switch -> static desktop
> \-> (NAT cloud)
>
> is it possible to send packets from the firewall looking like they came from
> a different external IP address based on which internal IP they were routed
> from? it seems to me it really should be possible to do ... just, how?
>
> Thanks,
> -- Justin
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] 2-NIC DMZ?
2002-10-28 16:27 [LARTC] 2-NIC DMZ? Justin Richer
2002-10-28 18:27 ` Lars Munch
@ 2002-10-28 21:06 ` Lars Munch
2002-10-28 22:05 ` Ken Price
2002-10-28 22:33 ` Justin Richer
3 siblings, 0 replies; 5+ messages in thread
From: Lars Munch @ 2002-10-28 21:06 UTC (permalink / raw)
To: lartc
Hi
AFAIK, you can do all of this by using FIAIF:
http://fiaif.fugmann.dhs.org/
which is a VERY nice and highly customizable script for setting up an
iptables based firewall. It has traffic shaping too.
Regards
Lars Munch
On Mon, Oct 28, 2002 at 11:27:37AM -0500, Justin Richer wrote:
> Hi all,
>
> I have two static IPs from my ISP. I would like one of these IPs to be
> directed to my desktop box all the time, and the other to be directed to a
> DHCP-served NAT network. I've nearly gotten it working using iptables and
> iproute2, but one problem is that i would like packets coming from my
> desktop box via the firewall to be printed with my desktop's external IP.
> They are currently being seen as from the NAT-hosted IP, which is the main
> IP address of the firewall box's external NIC. My setup looks like this:
>
> DSL Bridge -> [eth0] Firewall [eth1] -> 8-port-switch -> static desktop
> \-> (NAT cloud)
>
> is it possible to send packets from the firewall looking like they came from
> a different external IP address based on which internal IP they were routed
> from? it seems to me it really should be possible to do ... just, how?
>
> Thanks,
> -- Justin
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [LARTC] 2-NIC DMZ?
2002-10-28 16:27 [LARTC] 2-NIC DMZ? Justin Richer
2002-10-28 18:27 ` Lars Munch
2002-10-28 21:06 ` Lars Munch
@ 2002-10-28 22:05 ` Ken Price
2002-10-28 22:33 ` Justin Richer
3 siblings, 0 replies; 5+ messages in thread
From: Ken Price @ 2002-10-28 22:05 UTC (permalink / raw)
To: lartc
*VERY* easy. No routing rules involved, just IPTABLES:
For your workstation:
# iptables -t nat -A POSTROUTING -s 192.168.0.5 (your workstation statis IP)
-o eth0 -j SNAT --to PUBLIC_IP_1
Then, for everyone else:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to PUBLIC_IP_2
-Ken
-----Original Message-----
From: Justin Richer [mailto:ru2def@whoever.com]
Sent: Monday, October 28, 2002 11:28 AM
To: lartc@mailman.ds9a.nl
Subject: [LARTC] 2-NIC DMZ?
Hi all,
I have two static IPs from my ISP. I would like one of these IPs to be
directed to my desktop box all the time, and the other to be directed to a
DHCP-served NAT network. I've nearly gotten it working using iptables and
iproute2, but one problem is that i would like packets coming from my
desktop box via the firewall to be printed with my desktop's external IP.
They are currently being seen as from the NAT-hosted IP, which is the main
IP address of the firewall box's external NIC. My setup looks like this:
DSL Bridge -> [eth0] Firewall [eth1] -> 8-port-switch -> static desktop
\-> (NAT cloud)
is it possible to send packets from the firewall looking like they came from
a different external IP address based on which internal IP they were routed
from? it seems to me it really should be possible to do ... just, how?
Thanks,
-- Justin
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] 2-NIC DMZ?
2002-10-28 16:27 [LARTC] 2-NIC DMZ? Justin Richer
` (2 preceding siblings ...)
2002-10-28 22:05 ` Ken Price
@ 2002-10-28 22:33 ` Justin Richer
3 siblings, 0 replies; 5+ messages in thread
From: Justin Richer @ 2002-10-28 22:33 UTC (permalink / raw)
To: lartc
*smacks forehead*
I'm an idiot. I actually had all of the rules correct, including those two
you listed. However, I had them in the opposite order from what you listed.
This was a problem, since both my NAT network and my workstation IP are all
on the 192.168.0.x network. Therefore, since the first rule matched packets
coming from my desktop as coming from the "internal" network, that rule
executed and it went on its merry way. Seeing your post made me re-examine
my script more closely, and that showed the problem. Thank you!
-- Justin
----- Original Message -----
From: "Ken Price" <kprice@agentware.net>
To: "'Justin Richer'" <ru2def@whoever.com>; <lartc@mailman.ds9a.nl>
Sent: Monday, October 28, 2002 5:05 PM
Subject: RE: [LARTC] 2-NIC DMZ?
> *VERY* easy. No routing rules involved, just IPTABLES:
>
> For your workstation:
> # iptables -t nat -A POSTROUTING -s 192.168.0.5 (your workstation statis
IP)
> -o eth0 -j SNAT --to PUBLIC_IP_1
> Then, for everyone else:
> # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to PUBLIC_IP_2
>
>
> -Ken
>
>
> -----Original Message-----
> From: Justin Richer [mailto:ru2def@whoever.com]
> Sent: Monday, October 28, 2002 11:28 AM
> To: lartc@mailman.ds9a.nl
> Subject: [LARTC] 2-NIC DMZ?
>
>
> Hi all,
>
> I have two static IPs from my ISP. I would like one of these IPs to be
> directed to my desktop box all the time, and the other to be directed to a
> DHCP-served NAT network. I've nearly gotten it working using iptables and
> iproute2, but one problem is that i would like packets coming from my
> desktop box via the firewall to be printed with my desktop's external IP.
> They are currently being seen as from the NAT-hosted IP, which is the main
> IP address of the firewall box's external NIC. My setup looks like this:
>
> DSL Bridge -> [eth0] Firewall [eth1] -> 8-port-switch -> static desktop
> \-> (NAT cloud)
>
> is it possible to send packets from the firewall looking like they came
from
> a different external IP address based on which internal IP they were
routed
> from? it seems to me it really should be possible to do ... just, how?
>
> Thanks,
> -- Justin
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread