Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
RE: [suse-security] Connecting firewall directly to router ...
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Wed, 5 Dec 2001 13:36:09 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56C87@xxxxxxxxxxxxxxxxx>
Disclaimer: I haven't tried any of this myself.

> > I got it to work (with help) by doing a 'arp -i eth0 -s
> xxx.xxx.xxx.xxx
> > 00:00:00:00:00:00 pub Where eth0 is the outside if and
> xxx.xxx.xxx.xxx is
> > the outside IP address. And of cause the correct MAC address of that
> > interface. But it dident work before I added a route!!!!
> 'route add -host
> > xxx.xxx.xxx.xxx eth1' Where eth1 is the inside of my firewall.
>
> I've tried several things to get this to work. Does my DMZ
> have to have
> public IPs for this to work?

There is no inherent difference between publiv and private IP addresses. RFC
1918 just reserves a part of the entire address space and forbids its use in
the public Internet.

> I've done this :
> iptables -t nat -A PREROUTING -p tcp --dport 80 -d
> 66.8.45.171 -j DNAT
> --to-destination 192.168.1.171:80
> arp -i eth0 -s 66.8.45.171 00:01:02:50:B8:9E pub
> echo "1" > /proc/sys/net/ipv4/conf/eth0/proxy_arp
>
> This didn't work. I still get arp requests for 66.8.45.171
> from the router at
> 66.8.45.161, but my firewall (66.8.45.162) does not answer them.
>
> I tried to add a route for 66.8.45.171 to route via 192.168.1.1 (DMZ
> interface).

Umm.. I think you've got the order wrong. IMHO and from reading the man
pages, you should do either:

1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
maybe 3. route add -host 192.168.1.171 dev eth1

I don't think step 3 is meant to be necessary.

Or, e.g. if ip_forward is zero, you could do:

1. arp -i eth0 -s 66.8.45.171 <MAC of firewall's eth0> pub

You may have got the MAC address wrong, if you're still seeing ARP requests
going unanswered. Though the Linux box should be responding nevertheless (so
the ARP requests would in fact be answered), it's just that the
corresponding MAC address doesn't exist on the LAN segment.

Cheers
Tobias

< Previous Next >