Dirk Koopman
2003-Mar-14 06:26 UTC
[Shorewall-users] machine down and redirect stuff (temporarily)
I have a three legged router net/dmz/loc with a /28 of IP addresses proxyarped thru from net->dmz and this all works fine. Unfortunately one machine on the DMZ has had a disc failure and I need to map thru one port from both net and dmz. (There is a machine on the DMZ that would talk on the DMZ to the failed machine). Now, I have #-ed out the proxyarp for that IP, and also all the relevant rules for that machine and successfully DNATed the port from net<external ip>->loc:<local ip>. However, the obvious next line (another DNAT from the DMZ<external ip>->loc:<local ip>) doesn''t work. ie something like in rules:- DNAT net loc:<localip> tcp 2222 - <externalip> #this works fine DNAT dmz loc:<localip> tcp 2222 - <externalip> #this not Dirk -- Please Note: Some Quantum Physics Theories Suggest That When the Consumer Is Not Directly Observing This Product, It May Cease to Exist or Will Exist Only in a Vague and Undetermined State.
Tom Eastep
2003-Mar-14 06:33 UTC
[Shorewall-users] machine down and redirect stuff (temporarily)
--On Friday, March 14, 2003 02:26:20 PM +0000 Dirk Koopman <djk@tobit.co.uk> wrote:> I have a three legged router net/dmz/loc with a /28 of IP addresses > proxyarped thru from net->dmz and this all works fine. > > Unfortunately one machine on the DMZ has had a disc failure and I need > to map thru one port from both net and dmz. (There is a machine on the > DMZ that would talk on the DMZ to the failed machine). > > Now, I have #-ed out the proxyarp for that IP, and also all the relevant > rules for that machine and successfully DNATed the port from > net<external ip>->loc:<local ip>. However, the obvious next line > (another DNAT from the DMZ<external ip>->loc:<local ip>) doesn''t work. > > ie something like in rules:- > > DNAT net loc:<localip> tcp 2222 - <externalip> #this works fine > DNAT dmz loc:<localip> tcp 2222 - <externalip> #this not >What is <externalip>? Is it an IP address configured on your external IF? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Mar-14 07:58 UTC
[Shorewall-users] machine down and redirect stuff (temporarily)
--On Friday, March 14, 2003 06:33:39 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:>> >> Now, I have #-ed out the proxyarp for that IP, and also all the relevant >> rules for that machine and successfully DNATed the port from >> net<external ip>->loc:<local ip>. However, the obvious next line >> (another DNAT from the DMZ<external ip>->loc:<local ip>) doesn''t work. >> >> ie something like in rules:- >> >> DNAT net loc:<localip> tcp 2222 - <externalip> #this works fine >> DNAT dmz loc:<localip> tcp 2222 - <externalip> #this not >> > > What is <externalip>? Is it an IP address configured on your external IF? >In a private post, Dirk indicated that <externalip> is the IP address of the machine that is down for repair. Given that this was the case, the only reason that the first rule above works is that Dirk''s ISP (like most) configure their routers with a very long ARP cache timeout. So when that router had traffic for <externalip>, it was still sending that traffic using as the destination MAC the MAC address of the external IP of Dirk''s firewall. The systems in the DMZ were configured with much shorter ARP cache timeouts. Once a system in the DMZ timed out its ARP cache entry for <externalip>, it would send "ARP who-has" requests to try to learn the MAC address corresponding to <externalip>. Since at this point no system was configured with that IP address, these requests went unanswered with the apparent result that the second DNAT rule "didn''t work". The solution in this case is to add <externalip> temporarily to the firewall''s external interface. That way, the firewall will respond to ARP who-has requests for <externalip> and the second rule will "work" (and the first rule will continue to "work" should the upstream router send an ARP who-has for <externalip>). When the failed server is put back on line and <externalip> removed from the firewall''s external interface, it may take a few minutes for all of the systems in the DMZ to time out their cache entry linking <externalip> with the firewall''s DMZ interface and to send their own ARP who-has request for that address (which will of course be answered by the recently repaired system). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net