Hi a small question : a use a traditionnal DNAT into my config : DNAT net loc:192.168.50.219:443 tcp 443 That''s good, that''s work ... i want create the same process but with a "proxy" of the IP ! For sample, actually, it''s my internet client address are sent to the 192.168.50.219 I want that it''s not my IP but the Lan IP of my linux gateway (because 192.168.50.219 can''t access to internet, he dont have a gateway address and we can''t put it ...) thanks for your return.
Noc Phibee wrote:> Hi > > a small question : > > a use a traditionnal DNAT into my config : > > DNAT net loc:192.168.50.219:443 tcp 443 > > That''s good, that''s work ... > > i want create the same process but with a "proxy" of the IP ! > > For sample, actually, it''s my internet client address are sent to the > 192.168.50.219 > > I want that it''s not my IP but the Lan IP of my linux gateway > (because 192.168.50.219 can''t access to internet, he dont have a > gateway address and we can''t put it ...)I think that Shorewall FAQ 1e describes what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 6/8/06, Tom Eastep <teastep@shorewall.net> wrote:> Noc Phibee wrote: > > a use a traditionnal DNAT into my config : > > DNAT net loc:192.168.50.219:443 tcp 443 > > i want create the same process but with a "proxy" of the IP ! > > > > For sample, actually, it''s my internet client address are sent to the > > 192.168.50.219 > > > > I want that it''s not my IP but the Lan IP of my linux gateway > > (because 192.168.50.219 can''t access to internet, he dont have a > > gateway address and we can''t put it ...) > > I think that Shorewall FAQ 1e describes what you want. > > -TomHi Noc I am not sure that Tom has understood your question in the same way that I understand it. The way I understand you, your .219-machine has a crazy configuration that you cannot change (why?). And that configuration is without a gateway, so that the .219-machine is only able to send to your local net. And what you propose to do is have your linux router change the source-address on packets arriving from the internet destined for the .219-machine, so that the source-address becomes the linux router''s lan-address. And then you want the linux router to do connection tracking, so that packets coming back from the .219-machine is sent on to the internet to the host that started the connection. If I have understood you correctly, I don''t think it is possible to do. This situation doesn''t sound like FAQ 1e to me. I am not one of the wizards on this list, so maybe someone else can think of a way to do it. But to me it sounds impossible: I don''t believe that the linux connection tracking cannot rewrite the destination address of packets coming back from your .219-machine. Rune
Rune Kock wrote:> > If I have understood you correctly, I don''t think it is possible to > do. This situation doesn''t sound like FAQ 1e to me. >If Rune''s guess about what the OP is really trying to do is correct, take a look at how I handle my ADSL Modem -- http://www.shorewall.net/XenMyWay.html or http://www.shorewall.net/myfiles.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key