Very Computer

I have a problem with a following network configuration.
I have two real IP-addresses (abc.abc.abc.a and abc.abc.abc.b)
for use with three computers (foo, bar, xyz). So I have to
use two private IP-addresses (foo.bar.xyz.1 and foo.bar.xyz.2).
Computers foo and bar are registered in DNS server.

Computers foo and bar should be visible to the rest of the world.
Computer xyz should be hided from the rest of the world. Computer
xyz should still be able to use ftp-servers in the rest of the world.

                        Internet, DNS...                                
                                |
                                |
This side runs 10 Mbs ethernet. | eth0 = abc.abc.abc.a (real IP)
                            --------
                            | foo  | firewall
                            |      |
                            --------
This side runs 100 Mbs ethernet.| eth1 = foo.bar.zyz.1 (private IP)
                                |
                            --------
                            |      |  hub
                            --------
                           /        \
                          /          \                                  
                      --------    --------
                      | bar  |    | xyz  |
                      |      |    |      |
                      --------    --------
eth0 = abc.abc.abc.b (real IP)    eth0 = foo.bar.xyz.2 (private IP)

Linux's NAT is still in works. Could this be done with IP-Alias or
IP-tunnel or Proxy-Arp?

How should I configure the computers? Computers run Linux,
at the moment they are running Linux 2.0.36 and Debian 2.0.
--

                        http://www.iki.fi/ylinen/

The days run away like horses over the hills. -U2

  The static NAT masq patch from Wensong Zhang works extremely well.  He
just added ICMP support for me last weekend (THANKS!). You can use it in
combination with proxy ARP entries and host routes to do what you want.
If you have questions on how to set it up to work with proxy ARP and
host routes.... go get a Checkpoint Firewall-1 manual to explain the
method. If you have control of the Internet router, you can add host
routes to it and forget the proxy ARP all together.

John Gruber

I posted this follow-up to my own article. I changed faked
IP-addresses for real IP-addresses. I also changed faked
hostnames for real hostnames.

I have a problem with a following network configuration.
I have two real IP-addresses (193.166.95.88 and 193.166.95.89)
for use with three computers (a11a, a11b, xyz). So I have to
use two private IP-addresses (192.168.1.1 and 192.168.1.2).
Computers a11a and a11b are registered in DNS server.

Computers a11a and a11b should be visible to the rest of the world.
Computer xyz should be hided from the rest of the world. Computer
xyz should still be able to use ftp-servers in the rest of the world.

                        Internet, DNS...                                
                                |
                                |
This side runs 10 Mbs ethernet. | eth0 = 193.166.95.88 (real IP)
                            --------
                            | a11a | firewall
                            |      |
                             --------
This side runs 100 Mbs ethernet.| eth1 = 192.168.1.1 (private IP)
                                |
                            --------
                            |      |  hub
                            --------
                           /        \
                          /          \                                  
                      --------    --------
                      | a11b |    | xyz  |
                      |      |    |      |
                      --------    --------
eth0 = 193.166.95.89 (real IP)    eth0 = 192.168.1.2 (private IP)

Linux's NAT is still in works. Could this be done with IP-Alias or
IP-tunnel or Proxy-Arp?

How should I configure the computers? Computers run Linux,
at the moment they are running Linux 2.0.36 and Debian 2.0.
--

                        http://www.iki.fi/ylinen/

These days run away like horses over the hills. -U2

Thanks.  Sorry it took so long to follow up. I did look for your
posting on Friday night but it had not got here or to DejaNews by the
time I went home.

Quote:> I have a problem with a following network configuration.
> I have two real IP-addresses (193.166.95.88 and 193.166.95.89)
> for use with three computers (a11a, a11b, xyz). So I have to
> use two private IP-addresses (192.168.1.1 and 192.168.1.2).
> Computers a11a and a11b are registered in DNS server.

> Computers a11a and a11b should be visible to the rest of the world.
> Computer xyz should be hided from the rest of the world. Computer
> xyz should still be able to use ftp-servers in the rest of the world.

>                    Internet, DNS...                                
>                            |
>                            |
> This side runs 10 Mbs ethernet.    | eth0 = 193.166.95.88 (real IP)
>                        --------
>                        | a11a | firewall
>                        |      |
>                              --------
> This side runs 100 Mbs ethernet.| eth1 = 192.168.1.1 (private IP)
>                            |
>                        --------
>                        |      |  hub
>                        --------
>                       /        \
>                      /          \                                  
>                  --------    --------
>                  | a11b |    | xyz  |
>                  |      |    |      |
>                  --------    --------
> eth0 = 193.166.95.89 (real IP)       eth0 = 192.168.1.2 (private IP)

> Linux's NAT is still in works. Could this be done with IP-Alias or
> IP-tunnel or Proxy-Arp?

> How should I configure the computers?

I'm gonna assume that your default firewall policies are all accept.
You can (and _should_) close it all down a bit afterwards.

I'm also assuming your private IP LAN's netmask is 255.255.255.0.

[ Government health warning: there could be typos ]

Right on a11a do this:

route add -host 193.166.95.89 dev eth1
# You've probably already got...
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth1
# Now for the proxy ARP
arp -Ds 193.166.95.89 eth0 pub
# Masqerade any connections from private IP to internet
ipfwadm -F -a m -S 192.168.0.0/16 -W eth0
# Finally prevent abuse of your masquerading (internet to internet)
ipfwadm -I -a deny -S 192.168.0.0/16 -W eth0

On a11b do this:

# This card is on a foriegn subnet - no netmask.
ifconfig eth0 193.166.95.89 netmask 255.255.255.255
# If there's a route for 193.166.95.0/24 then delete it.
route del 193.166.95.0 netmask 255.255.255.0
# This is the real subnet I'm on.
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
route add default gw 192.168.1.1

On xyz you've probably already got it right already:

route add default gw 192.168.1.1
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0

If you expect significant traffic between xyz and a11b then I'd
suggest annother route to avoid all the traffic going via a11a.

On xyz:

route add -host 193.166.95.89 dev eth0

--

  .  _\\__[oo   faeces from    | Phones: +44 121 471 3789 (home)

 .  l___\\    /~~) /~~[  /   [ | PGP-fp: D7 03 2A 4B D8 3A 05 37...
  # ll  l\\  ~~~~ ~   ~ ~    ~ | http://www.wcl.bham.ac.uk/~bam/
 ###LL  LL\\ (Brian McCauley)  |