Re: Routing with Linux
Burner schrieb:
[-snip-]
i guess iptables will do the trick with somthing like this:
iptables -t nat -A POSTROUTING -o eth3 -s 192.168.1.135 -j SNAT --to 1.2.3.135
yup and ja can add a snat rule for the returning traffic too :-)
iproute2 looks way more flexible than iptables though, is this flexibility at
the cost of performance, or is it just a new wonderland for network admins? :)
iproute2 (ip) is used for routing not for setting nat or packet filter
rules you can do everthing you used ifconfig and route for an a lot more
have a look at the "Linux Advanced Routing & Traffic Control HOWTO"
<http://lartc.org/>
I realy do like what i learned about iproute2 so far.
We're using it for 3 years now and with a little hel of zebra
<http://www.zebra.org/>
we were able to replace all cisco routers in our internal network.
Oh and it all works a lot better now :-)
It seems to be worth reading the documentation in any case.
That's a good idea.
Without the map-to argument, the traffic would just go out with the default
address (likely 1.2.3.129 in the case of my example). I haven't done
enough testing with netfilter to know if this problem is still existing in
the 2.4 kernel, my experience was from testing kernels up to 2.2.19.
yes it is. So you have to make sure to disable spoofprotect in
/etc/network/options as soon as you have to work with async routs
I would be happy to recive any hints from someone who has done anything
like this before.
Put your boxes in a private IPv4 network
Use iptables SNAT/DNAT and ip aliasing. Put your old public IPs up on
your firewall and write a good policy to protect your firewallbox.
Should be dune in less then 30 Minutes on a installed debian woody box.
You don't need special routing tables to do that.
//Burner
greets Uwe
--
X-Tec GmbH
Institute for Computer and Network Security
WWW : http://www.x-tec.de/
IPv6: http://www.ipv6.x-tec.de/
Reply to: