redirecting behind firewall with iptables
Mon, 29 Oct 2001 18:09:43 +0100
On Sun, Oct 28, 2001 at 08:30:18AM -0500, Dougherty, Joe happily wrote:
> The current firewall is able to do this using arp. Since the "fake" external
> address is on the same IP network as the firewall's external interface, it
> uses arp to listen for the address and route the request.
> I'd like to be able to do the same thing using netfilter/iptables. Since I'm
> still crawling my way through the documentation and scripting, I wondered if
> anyone had any advice or suggestions on the best (and most secure) way to
> perform this same function.
Looks like you are looking for proxy_arp. It does exactly what you are looking
for. eg, you could setup something like this:
- 1 interface on the 192 network
- 1 interface on the DMZ (where you put the servers).
- 1 interface on the external network.
- proxy_arp between the first and second interface
To setup something like this, you'll find exaustive documentation on the
proxy_arp home page (can't remember the url, just look for it in
google). The packets that flow from the dmz to the internet and vice-versa will
traverse the standard FORWARD chain, allowing you to do any kind of filtering or
I also believe you can find some interesting stuff on the mailing list archives...
I've had a quite similar setup working in a production environment for a couple
weeks now under a quite good load without getting in any trouble.
This is just a hint, if you need more help, feel free to mail me for details...
*** bye, Carlo!