I have a CentOS box that acts as a packet filter/firewall with iptables but the box itself isn't able to reach internet : here why : Internet ----- public IP|ISP router|private IP ----- private IP + public IP/32 + public IP subnet/29|my CentOS fw|private network/dmz As you can see my provider gave us a /29 public ip subnet but behind a private IP subnet (192.168.X.X/24 - used for the routing between the ISP router and the fw) I've configured my iptables/routing correctly and machines from the DMZ have no problems reaching the external world (use of SNAT in the nat table of course). The problem is that the firewall itself can't access the public network because of his private ip 192.168.X.X used for the routing between ISP router and itself. I also received a /32 public ip for the fw itself and i've added to the ethx:1 alias . Problem is that kernel always decide that (because of default gw being on the private ip 192.168.X.X) he has to use the 192.168.X.X ip address as outbond interface. So every packet leaving (so i'm talking about OUTPUT table and not about FORWARD nor nat table) the fw comes from a 192.168.X.X ip and so never comes back (which is normal). Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ? For example , at the application layer, i can produce icmp packets with `ping -I my.public.ip/32 remote.host.on.internet` that come back but of course nothing with a traditionnal `ping remote.host.on.internet` I've had a look at arptables and tested ` arptables -A OUT -s 192.168.X.X ! -d 192.168.X.0/24 -o eth3 -j mangle --mangle-ip-s my.public.ip` but that doesn't seem to do the trick .. Any ideas ? I just hope that it was clear enough :-p -- Fabian Arrotin idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh
Hi Fabian: On Tue, Jan 27, 2009 at 08:16, Fabian Arrotin <fabian.arrotin at arrfab.net> wrote:> Question is : how can i "mangle" output packets to appear coming from > public ip and not from 192.168.X.X ?Found this that might help you (google for: linux default outgoing ip): """> On a machine with multiple interfaces, is it possible to set the default > outgoing IP address to something other than the address for the interface > on the outgoing route?Yes. ip route add 10.1.1.0/24 via 192.168.1.1 src 172.16.1.1 ^^^ The src parameter tells the routing code to use this address when sending packets. The address only needs to be on the system. IE: ip addr add 172.16.1.1/32 dev dummy0 And send the packets out of eth0. """ From: http://lkml.indiana.edu/hypermail/linux/kernel/0112.1/0359.html Just make sure you keep a separate route for your ISP's side of the private network (maybe the one created when your interface goes up will do), otherwise your routing protocol might fail. HTH, Filipe