The other day I tried to replce an old checkpoint firewall with a linux / iptables (mandrake 8.2)... And could not get DNAT / SNAT to work ....
i..e Firewalls internet access was A OK but packets to my 16 real IP addresses wouldn't get through.... Scratching my head I went home and set up a test network router / firewall / client patched onto two different hubs... After a long while I figured that I needed to define all 16 real IPs on the external interface of the firewall (in order to respond to ARPs) and then everything started working fine ! The thing is I can use either a checkpoint or a straight Nt firewall (on different boxes) with my ISPs router ( with no need to mess around with ARP) but if I use a linux box I DO need to sort out the ARP. Am I just being thick ? The reason I don't really want to ARP the external addresses from the firewall is that I would eventualy like to use Heartbeat to failover to another box... And I'd end up with two firewalls on the same subnet both claiming to want the 16 real IPs. Does anyone have links for heartbeat / iptables setups ? Any help appreciated. Ps. Great work on netfilter.
