redirecting behind firewall with iptables

[Carlo]

On Sun, Oct 28, 2001 at 08:30:18AM -0500, Dougherty, Joe happily wrote:
> The current firewall is able to do this using arp. Since the "fake" external
> address is on the same IP network as the firewall's external interface, it
> uses arp to listen for the address and route the request.
> 
> I'd like to be able to do the same thing using netfilter/iptables. Since I'm
> still crawling my way through the documentation and scripting, I wondered if
> anyone had any advice or suggestions on the best (and most secure) way to
> perform this same function.
Looks like you are looking for proxy_arp. It does exactly what you are looking
for. eg, you could setup something like this:
  - 1 interface on the 192 network
  - 1 interface on the DMZ (where you put the servers).
  - 1 interface on the external network.
  - proxy_arp between the first and second interface 

To setup something like this, you'll find exaustive documentation on the
proxy_arp home page (can't remember the url, just look for it in
google). The packets that flow from the dmz to the internet and vice-versa will
traverse the standard FORWARD chain, allowing you to do any kind of filtering or
nat.

I also believe you can find some interesting stuff on the mailing list archives...

I've had a quite similar setup working in a production environment for a couple
weeks now under a quite good load without getting in any trouble.

This is just a hint, if you need more help, feel free to mail me for details...

  Good Luck,
  	Carlo!
-- 
*** bye, Carlo!