transparent firewall (proxy arp?)

Mark Wadden mark-/2gyfjYZF1k at public.gmane.org
Fri Feb 6 21:32:10 UTC 2004


Greetings all,

I'm hoping someone can help me with a networking issue.  

I'm trying to set up what I would call a "transparent firewall". 
Basically, I want to stick a machine running iptables between my
ISP-supplied router and the switch, without having it masquarade the IPs
of the machines it's protecting.

I had no idea where to start so I originally looked into some Linux
bridging docs.  Then I came across this Proxy Arp how-to, which
essentially describes my exact scenario
(http://www.sjdjweis.com/linux/proxyarp/).  As promising as this article
sounds, I couldn't get it to work.

I set up a RedHat 9 box as per the instructions in the how-to.  But when
I hooked everything up (and rebooted the router and switch to clear out
any arp tables) it wouldn't route any packets through.  From the Proxy
Arp machine I could ping both sides (router and DMZ) but I couldn't get
anything to go THROUGH the machine.  At one point I was able to ping
from the DMZ side to the router, but nothing else was going through. 
Another strange thing is that I tried a tcpdump on the Proxy Arp box and
it was only picking up a few packets here and there (even though there
was a lot of stuff trying to get through).

So, at this point I'm really stuck.  I should also mention that I don't
have enough hardware to setup a test network first, so every time I try
to "test" a change I've made I have to put this machine onto the live
network (essentially screwing up all traffic in and out of the
company... not a good thing since we provide hosting services for
clients).

I'd appreciate any commentary anyone may have on this issue.  I'm also
completely open to different approaches if this one has some obvious
flaws.  I'm just trying to avoid IP masquarading since that's what I
have now and it's causing a lot of DNS headaches (maybe I should just
fix the dns problems instead...).


thanks,


-mark


--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list