[Shorewall-users] design issue?

David Smead smead@amplepower.com
Fri, 12 Apr 2002 17:13:50 -0700 (PDT)


Tom,

Thanks for confirming the nat question.  I'm keeping notes for a
mini-primer which I hope will be useful to others.

I'm trying to drop shorewall into an existing configuration without
backing up into the internal system.  We have an ancient firewall running
Linux 2.0.36, bubble gum and baling wire, (uptime - 308 days). The server
in the dmz has an IP of 192.168.1.10.  It runs Apache with virtual
servers.

The ancient firewall uses an old program called redir which redirects all
port 80 traffic for two public IPs to the server in the dmz. Local
computers on other internal networks access the dmz server using its
private IP.  Presently the dmz server is masqueraded so any email it sends
is handled properly.

So, to avoid changes that disrupt other computers I need to keep the
192.168.1.10 on the server in the dmz.  My idea is to alias the interface
with the two public IPs.  If I can proxyarp the two public IPs on the
firewall and masquerade the private number of the dmz in the firewall then
nothing should ripple out into the other systems.

If I can make things work like that then I can go into the other systems
one at a time and change their accesses to one of the public IPs. Then I
can revisit the firewall and clean it up.

Does any of this make sense.

-- 
Sincerely,

David Smead
http://www.amplepower.com.

On Fri, 12 Apr 2002, Tom Eastep wrote:

> On Fri, 12 Apr 2002, David Smead wrote:
>
> > Tom,
> >
> > I hope I'm learning something but here goes another round of ignorance.
> >
> > Is the nat file translated into rules that do static nat in both
> > directions?
>
> Yes.
>
> >
> > If one server in the dmz has 3 IPs, (aliased) and 2 of them are proxyarp'd
> > can I masquerade the other one, which is a 198.168.1.X?  Part of my
> > confusion is not understanding what IP is used on a multiple aliases IP
> > interface for a source address.
> >
>
> For outgoing connection requests, it is the primary interface. Why would
> you do such a thing though?
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>