I have a linux 2.4.18 firewall using iptables 1.2.5. It only has a single
ethernet card, but I use IP alias so that it can talk to an internal
(non-routeable) network.
I essentially have two VLANs running through a single switch. My
connection to the outside world goes directly into the switch.
Physically it sort of looks like this:
Internet
4.3.2.1 |
Firewall <-> switch <-> Internal 192.168.0.x
192.168.0.1
I use DNAT to forward some traffic to a box in the internal network,
which is at 192.168.0.2. I reach it from the outside using 4.3.2.2.
iptables -t nat -A PREROUTING -d 4.3.2.2 -j DNAT --to-destination 192.168.0.2
That part works great, sort of. However, the machine 192.168.0.2 thinks
any DNAT traffic is coming from 192.168.0.1, rather than the appropriate
IP address out on the internet. For instance, if I forward port 80 to
192.168.0.2, and I browse the website from the outside world, it shows up
in the webserver logs as being from 192.168.0.1. Same with smtp, which is
really bad because it makes the machine a relay for the world.
I've sort of convinced myself that its either got something to do with
using the same switch for both networks, or that I've got both internal
and external IP's on the same physical interface. I've tested this out
at a different location where I'm not limited to using the single card,
and the incoming IP addresses show up correctly to the DNAT'ed machine.
Anyone encountered a similar situation, and is there a remedy short of
sticking another card in the box?
-Don
