On Monday 03 December 2001 07:37, Reckhard, Tobias wrote:
Try: 1. man arp (see the options -D and -s) 2. http://www.linuxdoc.org/HOWTO/mini/Proxy-ARP-Subnet/
If I'm using IPTABLES and I'm using the DNAT rules, why does the kernel not do the proxy-arp automatically? Surely what DNAT is trying to accomplish requires this, i.e. listening on a public IP and redirecting to a private IP.
Well, it need not be accomplished by proxy-arp, for one. Then, who's saying the IP address that's being DNATed is in a local subnet of the firewall at all? I.e. the firewall could have two networks attached, 1/8 and 2/8. It could still be instructed to DNAT traffic to 2.1.1.1 to 3.1.1.1. No proxy-arp involved. Use different tools for different tasks.
PS: I dislike either of these setups. If you've got separate subnets, you should have separate subnet addresses, IMHO. But the above should work nonetheless. So you would have 66.8.45.161/28 on the router LAN interface and something else on the internet interface on the firewall? Does this mean that the internet interface on the firewall requires a public IP?
No, you can't have the Linux firewall's external interface and the router's 'internal' interface on different subnets (well, in Linux with PtP interfaces you can and Cisco allows for 'ip unnumbered', so this is actually not entirely true, but..). I'd ask for a /30 subnet to put the Cisco and the firewall (external interface) into, additionally to the /28 subnet for the DMZ and have the Cisco sysadmin configure the firewall as the gateway to that /28. The /30 subnet needn't have official addresses, BTW, in case that's a problem, because noone should need to send traffic to the firewall directly. Cheers Tobias