On Mon, 2002-02-04 at 20:17, Jason Lim wrote: > Probably someone has done all this in the past, and in fact I have found a > distro that *sounds* like it does this, but it is a weird heavily > customized Redhat, and I would perfer to stick with the Debian that we all > love. > I'm doing something similar to this using proxy arp and a single IP address on the network, with a Debian box running a 2.4 kernel. The steps I took are roughly as follows:
configure both NICs with the same IP address. For convenience, use the highest IP address in your netblock. Assuming your netblock is 192.168.0.0/24, the firewall's IP is 192.168.0.254, and the default gateway is 192.168.0.1, run the following: echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp ip route del 192.168.0.0/24 dev eth0 ip route del 192.168.0.0/24 dev eth1 ip route add 192.168.0.1 dev eth0 ip route add 192.168.0.0/24 dev eth1 echo 1 > /proc/sys/net/ipv4/ip_forward before you do that, you'll want to do some firewalling. You'll need to use the FORWARD table for your rules going to the hosts you're protecting. I personally find it easier to make a pile of rules in your FORWARD table jumping to per-IP chains, e.g: iptables -N fw_2 iptables -A fw_2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A fw_2 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A fw_2 -j LOG iptables -A fw_2 -j DROP iptables -A FORWARD -d 192.168.0.2 -j fw_2 and so on, for your firewall rules. Don't forget the INPUT and OUTPUT chains to catch things going directly to your firewall. I got this information off a web site that's bookmarked on my work computer, if you want I'll dig up the URL tomorrow. Anyway, hope that helps! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
