From: Peter Johnson <peter@thejohnsons.com.au>
To: Netfiler E-Mail List <netfilter@lists.netfilter.org>
Subject: Re: Strange setup
Date: 20 Jan 2003 18:50:29 +1100 [thread overview]
Message-ID: <1043049030.24581.76.camel@wizardslair> (raw)
In-Reply-To: <1084.10.35.120.83.1043023502.squirrel@mail.unixpimps.org>
Ok, gotcha now...
Still do
ip rule add from $WAN_IP table $WAN_TABLE
ip rule add from $WLAN_IP table $WLAN_TABLE
and
ip route add default via $WAN_PEER_IP dev $WAN_IF table $WAN_TABLE
ip route add default via $WLAN_PEER_IP dev $WAN_IF table $WLAN_TABLE
Add iptables rules approximately as follows:
$IPTABLES -t nat -A PREROUTING -i $WAN_IF -j DNAT $DMZ_IP_0-16
$IPTABLES -t nat -A PREROUTING -i $WLAN_IF -j DNAT $DMZ_IP_17-32
$IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT $WAN_IP
$IPTABLES -t nat -A POSTROUTING -o $WLAN_IF -j SNAT $WLAN_IP
$IPTABLES -t filter -A FORWARD -i $WAN_IF -o $DMZ_IF -j ACCEPT
$IPTABLES -t filter -A FORWARD -i $WLAN_IF -o $DMZ_IF -j ACCEPT
That takes care of the initial connection i.e. SYN packets. The IPTables
nat table is only used on the initial packet on each connection.
For the actual routing, the only thing that I can think of is assigning
two IPs (aliases) to each server in the DMZ say .0-16 for WAN and 17-32
for WLAN then using
$IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_0-16 -j MARK --set-mark 1
and
$IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_17-32 -j MARK --set-mark 2
then add
ip rule add fwmark 1 table $WAN_TABLE
and
ip rule add fwmark 2 table $WLAN_TABLE
Sorry but that is all I can come up with at the moment.
PJ
--
Quitters never win, and winners never quit, but those who never quit AND
never win are idiots.
next prev parent reply other threads:[~2003-01-20 7:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-19 21:35 Strange setup Evan Borgstrom
2003-01-19 22:00 ` Evan Borgstrom
2003-01-19 22:31 ` Peter Johnson
2003-01-20 0:45 ` Evan Borgstrom
2003-01-20 7:24 ` Peter Johnson
2003-01-20 7:50 ` Peter Johnson [this message]
2003-01-20 14:49 ` Evan Borgstrom
2003-01-20 15:01 ` ip_conntrack: table full, dropping packet hare ram
2003-01-20 15:13 ` Maciej Soltysiak
2003-01-24 2:50 ` Strange setup Evan Borgstrom
2003-01-20 20:42 ` Peter Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1043049030.24581.76.camel@wizardslair \
--to=peter@thejohnsons.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox