[Shorewall-users] design issue?

Tom Eastep teastep@shorewall.net
Sat, 13 Apr 2002 06:14:48 -0700 (Pacific Daylight Time)


On Fri, 12 Apr 2002, David Smead wrote:

> Tom,
> Thanks for confirming the nat question.  I'm keeping notes for a
> mini-primer which I hope will be useful to others.
> I'm trying to drop shorewall into an existing configuration without
> backing up into the internal system.  We have an ancient firewall running
> Linux 2.0.36, bubble gum and baling wire, (uptime - 308 days). The server
> in the dmz has an IP of  It runs Apache with virtual
> servers.
> The ancient firewall uses an old program called redir which redirects all
> port 80 traffic for two public IPs to the server in the dmz. Local
> computers on other internal networks access the dmz server using its
> private IP.  Presently the dmz server is masqueraded so any email it sends
> is handled properly.
> So, to avoid changes that disrupt other computers I need to keep the
> on the server in the dmz.  My idea is to alias the interface
> with the two public IPs.  If I can proxyarp the two public IPs on the
> firewall and masquerade the private number of the dmz in the firewall then
> nothing should ripple out into the other systems.
> If I can make things work like that then I can go into the other systems
> one at a time and change their accesses to one of the public IPs. Then I
> can revisit the firewall and clean it up.

On your new firewall, I would simply use port forwarding to forward port
80 from the two public IPs to your server and SNAT the server's access to
the internet.

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net