[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-server
Subject:    Re: non-dof ipfw/ipchains question...
From:       Brian Candler <B.Candler () POBOX ! COM>
Date:       1999-01-19 8:51:36
[Download RAW message or body]

>                                         X.Y.136.3               ...
>                                             v                  /
>  Internet ----> Cisco2501 <-----> Linux F/W <----> Cat5505/RSM -- rest of VLANs
>                           ^     ^                              \...
>                        a.b.c.d  x.y.z.w
>
> Do a.b.c.d and x.y.z.w have to be real addresses -- it seems
> to me that the masquerading code will send out masqueraded
> packets to the Internet with a source IP of x.y.z.w, which
> then needs to be a real, routable address.

AFAIK this is correct. If this link is an ethernet segment, you should
allocate a /30 out of your address space for it. If, on the other hand, this
is a serial link (e.g. you have a HDLC card in the Linux box plugged into a
serial port on the Cisco), you can make this link unnumbered, so a.b.c.d is
the same as the Cisco's interface to the outside world, and x.y.z.w is
x.y.136.3

However, if expect that if you had a HDLC card in the Linux box, you
probably wouldn't be using the Cisco in the first place :-)

This does make routing awkward though. At the moment you could have just two
IP networks, X.Y.136/21 and X.Y.44/23, but splitting out a /30 will leave
you with lots of fragments.

One possibility is to use a larger than /30 for this segment, and use it as
your DMZ for servers which need full Internet connectivity (e.g. stick your
FTP and web servers on it)

There are also nasty tricks you can do with proxyARP (to use the same IP
network on both sides of the firewall) - I would avoid those if possible.

Another solution: you could put a second Linux box behind the firewall, with
virtual interfaces on both the 192.168 and X.Y networks, and do the
masquerading on that. If you were going to have a separate box as web cache
or mail server, that would be a reasonable place to put it.

> Or is it possible to get the box to masquerade so that it
> sends packets out the x.y.z.w I/F with a source IP of X.Y.136.3?

Just hack the kernel to make it do what you want :-)

[prev in list] [next in list] [prev in thread] [next in thread]