From: Peter Johnson <peter@thejohnsons.com.au>
To: Netfiler E-Mail List <netfilter@lists.netfilter.org>
Subject: Re: Strange setup
Date: 21 Jan 2003 07:42:00 +1100 [thread overview]
Message-ID: <1043095321.24583.78.camel@wizardslair> (raw)
In-Reply-To: <1043049030.24581.76.camel@wizardslair>
ooops ... before too many people comment, the IPs should have been 0-15
and 16-31
On Mon, 2003-01-20 at 18:50, Peter Johnson wrote:
> Ok, gotcha now...
>
> Still do
> ip rule add from $WAN_IP table $WAN_TABLE
> ip rule add from $WLAN_IP table $WLAN_TABLE
> and
> ip route add default via $WAN_PEER_IP dev $WAN_IF table $WAN_TABLE
> ip route add default via $WLAN_PEER_IP dev $WAN_IF table $WLAN_TABLE
>
> Add iptables rules approximately as follows:
>
> $IPTABLES -t nat -A PREROUTING -i $WAN_IF -j DNAT $DMZ_IP_0-16
> $IPTABLES -t nat -A PREROUTING -i $WLAN_IF -j DNAT $DMZ_IP_17-32
>
> $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT $WAN_IP
> $IPTABLES -t nat -A POSTROUTING -o $WLAN_IF -j SNAT $WLAN_IP
>
> $IPTABLES -t filter -A FORWARD -i $WAN_IF -o $DMZ_IF -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i $WLAN_IF -o $DMZ_IF -j ACCEPT
>
> That takes care of the initial connection i.e. SYN packets. The IPTables
> nat table is only used on the initial packet on each connection.
>
> For the actual routing, the only thing that I can think of is assigning
> two IPs (aliases) to each server in the DMZ say .0-16 for WAN and 17-32
> for WLAN then using
>
> $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_0-16 -j MARK --set-mark 1
> and
> $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_17-32 -j MARK --set-mark 2
>
> then add
>
> ip rule add fwmark 1 table $WAN_TABLE
> and
> ip rule add fwmark 2 table $WLAN_TABLE
>
>
> Sorry but that is all I can come up with at the moment.
>
> PJ
>
> --
>
> Quitters never win, and winners never quit, but those who never quit AND
> never win are idiots.
>
>
>
>
--
The truth is out there? Does anyone know the URL?
Homepage: http://www.wizardslair.net
prev parent reply other threads:[~2003-01-20 20:42 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-19 21:35 Strange setup Evan Borgstrom
2003-01-19 22:00 ` Evan Borgstrom
2003-01-19 22:31 ` Peter Johnson
2003-01-20 0:45 ` Evan Borgstrom
2003-01-20 7:24 ` Peter Johnson
2003-01-20 7:50 ` Peter Johnson
2003-01-20 14:49 ` Evan Borgstrom
2003-01-20 15:01 ` ip_conntrack: table full, dropping packet hare ram
2003-01-20 15:13 ` Maciej Soltysiak
2003-01-24 2:50 ` Strange setup Evan Borgstrom
2003-01-20 20:42 ` Peter Johnson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1043095321.24583.78.camel@wizardslair \
--to=peter@thejohnsons.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox