[Fwbuilder-discussion] DNAT bringing up an interface and stealing all other connections
Brought to you by:
mikehorn
From: Chris P. <fwb...@in...> - 2007-12-07 13:37:22
|
Hi all, I've noticed a strange problem on a Linux 2.6 Iptables 1.3.6 system regarding dnat: oldserver 192.168.1.10 newserver 192.168.1.20 fw 192.168.1.1 Nat rules as follows: orig src orig dest origsrv new src new dest new srv rfc1918 oldserver http original newserver original I notice that the firewall adds a alias IP address to the relevant nic with the same IP as oldserver. eth1: <BROADCAST,MULTICAST,PROMISC,UP,10000> mtu 1500 qdisc noqueue link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1:FWB4 inet 192.168.1.10/24 brd 192.168.1.255 scope global secondary eth1:FWB4 The nat does work, but any connection that isn't http is now received by the firewall itself. This is not what I asked for.. What's more, adding a rule underneath that states any oldserver any original original original doesn't solve the problem. Why was this extra IP address added? It could be argued that a connection to oldserver on port 80 FROM the 192.168.1.0/24 subnet would need to be natted. In this case, however, newserver would see the connection come from the original address and nat would be asymetric and ultimately fail. How can I achieve this very basic nat rule.. Essentially DNATing for a single service for a host that already exists? Cheers Chris |