transparent firewall (proxy arp?)

Jason Shein jason-gaRZxGPHtpBxZtjKW1aY+1aTQe2KTcn/ at public.gmane.org
Fri Feb 6 22:25:49 UTC 2004 

http://www.ipcop.org

works like a charm.


Mark Wadden wrote:
> Greetings all,
> 
> I'm hoping someone can help me with a networking issue.  
> 
> I'm trying to set up what I would call a "transparent firewall". 
> Basically, I want to stick a machine running iptables between my
> ISP-supplied router and the switch, without having it masquarade the IPs
> of the machines it's protecting.
> 
> I had no idea where to start so I originally looked into some Linux
> bridging docs.  Then I came across this Proxy Arp how-to, which
> essentially describes my exact scenario
> (http://www.sjdjweis.com/linux/proxyarp/).  As promising as this article
> sounds, I couldn't get it to work.
> 
> I set up a RedHat 9 box as per the instructions in the how-to.  But when
> I hooked everything up (and rebooted the router and switch to clear out
> any arp tables) it wouldn't route any packets through.  From the Proxy
> Arp machine I could ping both sides (router and DMZ) but I couldn't get
> anything to go THROUGH the machine.  At one point I was able to ping
> from the DMZ side to the router, but nothing else was going through. 
> Another strange thing is that I tried a tcpdump on the Proxy Arp box and
> it was only picking up a few packets here and there (even though there
> was a lot of stuff trying to get through).
> 
> So, at this point I'm really stuck.  I should also mention that I don't
> have enough hardware to setup a test network first, so every time I try
> to "test" a change I've made I have to put this machine onto the live
> network (essentially screwing up all traffic in and out of the
> company... not a good thing since we provide hosting services for
> clients).
> 
> I'd appreciate any commentary anyone may have on this issue.  I'm also
> completely open to different approaches if this one has some obvious
> flaws.  I'm just trying to avoid IP masquarading since that's what I
> have now and it's causing a lot of DNS headaches (maybe I should just
> fix the dns problems instead...).
> 
> 
> thanks,
> 
> 
> -mark
> 
> 
> --
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> 

-- 
" Eventually people tire of repairing broken Windows,
        And decide to replace them with something stronger"
(o_
//\        Linux - The Choice Of A GNU Generation
V_/_                     Jason Shein
       		Linux Registered User #281100
		 jason-gaRZxGPHtpBxZtjKW1aY+1aTQe2KTcn/@public.gmane.org
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list