[Fwbuilder-discussion] DNAT bringing up an interface and stealing all other connections
Brought to you by:
mikehorn
Menu
▾
▴
[Fwbuilder-discussion] DNAT bringing up an interface and stealing all other connections
|
From: Chris P. <fwb...@in...> - 2007-12-07 13:37:22
|
Hi all,
I've noticed a strange problem on a Linux 2.6 Iptables 1.3.6 system
regarding dnat:
oldserver 192.168.1.10
newserver 192.168.1.20
fw 192.168.1.1
Nat rules as follows:
orig src orig dest origsrv new src new dest new srv
rfc1918 oldserver http original newserver original
I notice that the firewall adds a alias IP address to the relevant nic
with the same IP as oldserver.
eth1: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc noqueue
link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1:FWB4
inet 192.168.1.10/24 brd 192.168.1.255 scope global secondary eth1:FWB4
The nat does work, but any connection that isn't http is now received by
the firewall itself. This is not what I asked for..
What's more, adding a rule underneath that states
any oldserver any original original original
doesn't solve the problem.
Why was this extra IP address added?
It could be argued that a connection to oldserver on port 80 FROM the
192.168.1.0/24 subnet would need to be natted. In this case, however,
newserver would see the connection come from the original address and nat
would be asymetric and ultimately fail.
How can I achieve this very basic nat rule.. Essentially DNATing for a
single service for a host that already exists?
Cheers
Chris
|