Thanks Charles for getting back to me so promptly on this...
I'm actually using your Eiger static (but have it running off a HDD etc,
I'm also running with "some" parts taken from your extended scripts).
Will I be able to setup the same with this or will have to move over to the
Dachstein build?
Also when I was building this I used your full extended scripts and found I
could not ping any of the aliased IP's on eth0, (and you allowed with
#EXTERN_ICMP_PORT0="0/0 : 1.2.3.12" to activiate ICMP to that IP which
worked fine)
I'm just wondering what line(s) in the ipfilter.conf configured this, as I
was comparing the standard ipfilter.conf with the one from the extended
scripts but couldn't find the difference.
Thanks again.
Regards,
Adam Niedzwiedzki
c: genis-x
a: level 1, 278-280 church street richmond, victoria, 3121, au, earth
m: +614 0732 2719
w: www.genis-x.com
icq: 325910
|--------+------------------------------------->
| | "Charles Steinkuehler" |
| | <[EMAIL PROTECTED]> |
| | Sent by: |
| | [EMAIL PROTECTED]|
| | eforge.net |
| | |
| | |
| | 01/03/2002 01:20 PM |
| | |
|--------+------------------------------------->
>-----------------------------------------------------------------------------------------------------------|
|
|
| To: "Matt Schalit" <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> |
| cc:
|
| Subject: Re: [Leaf-user] Map internal IP to Live external IP
|
>-----------------------------------------------------------------------------------------------------------|
> > Is it possible to map an internal IP so that all it's outbound traffic
> > looks like it's coming from one of the aliased IP's (sic)
> > I wish to be able to setup some of my internal machines to have there
own
> > "static" live IP instead of it looking like they are coming from the
main
> > IP on eth0.
>
> I don't want to post to linux-router, ever again.
>
> Be that as it may, my first idea of static routes wouldn't work. They
> specify a destination, a remote IP/CIDR, and the nic the traffic goes
> out of. They don't specify the IP the traffic goes out of. Hmmm.
>
> Maybe this is what static nat can do. Anyone?
Yes, this is an application for static-NAT. There is support for this in
the default Dachstein scripts (via "psudo" natX_ interfaces), primarily
intented for DMZ application.
If you want to "roll your own", the basic commands are:
ip route add nat $1 via $2
to NAT inbound traffic, and:
ip rule add prio $PRIORITY from $2 nat $1
to NAT outbound traffic.
$PRIORITY is an arbitrary priority number (must be unique for multiple NAT
rules), $1 is the public IP, and $2 is the private IP
NOTE: When running static NAT, you must *NOT* assign the NAT'd public IP
as
an alias IP to the external interface. Adding the NAT rules takes care of
getting the kernel to configure the TCP/IP stack to respond as if the NAT'd
IP was assigned to a local interface.
Of course, you'll also need appropriate firewall rules in place. I'd
suggest simply adding a DMZ network to a Dachstein firewall and using it's
built-in ability to run a static-NAT DMZ, but you could use an IP in your
internal network as the destination...in this case, however, you're on your
own for firewall rules...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
