iptables + ebtables + snat question
Jan Engelhardt
jengelh at linux01.gwdg.de
Sat Aug 13 14:36:23 CEST 2005
> I have the following setup:
>
> LAN
> |
> |
> if0 ________
> DMZ---if1 if2---|ROUTER|---INTERNET
> \ / --------
> br0
Your ascii art is totally broken. If you draw ascii at all, use a monospaced
font!
> LAN_NET = 10.0.0.1
> PUBLIC_NET = 77.25.33.0/28
> (14 hosts - broadcast = .15)
>
> I am doing transparent bridging between if1 and if2
> My ROUTER ethernet iface has IP 77.25.33.1
> my DMZ hosts will have public IPs ranging 77.25.33.2-14
>
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?
Yes.
> Or do I have to assign a IP to my br0 interface?
The bridge itself needs an IP if you want to SNAT to it. Otherwise this would
happen:
PING from dmz (77.25.33.2) to google.com (216.239.37.99) via
the nexthop (e.g. 77.1.2.3).
The bridge SNATs to 77.25.33.1
The nexthop asks arp-who-has 77.25.33.1 -- no response.
If your bridge does not have an IP, you need some ebtable tricks to make an
ARP reply.
> I am in deign mode so I was trying to figure out
> if this is possible.
>
> The rule would look like this:
> $IPTABLES -t nat -A POSTROUTING \
> -o $BR0 -j SNAT --to-source $ROUTER_IP
>
> Can this work?
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
More information about the netfilter
mailing list