[fw-wiz] Use internal IP as srcaddr for packets on outside interface

From: Christopher Hicks (chicks_at_chicks.net)
Date: 01/29/04 

To: Firewall Wizards mailing list <firewall-wizards@honor.icsalabs.com>
Date: Thu, 29 Jan 2004 11:45:44 -0500 (EST)

I have a Red Hat Fedora Core 1 based firewall doing some iptables
filtering and ntop between our public network and a few T1 and DSL
routers. I've been quite happy with this setup through various Red Hat
revisions. We just brought up a T1 with a new provider (Cavalier) that
I've made the default route. This provider doesn't want to give us any
IP's because we have a historic class C block - 205.166.143/24. My
current IP assignments look like:

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:08:7a:40 brd ff:ff:ff:ff:ff:ff
    inet 216.36.104.3/29 brd 216.36.104.7 scope global eth0
    inet 10.9.8.1/24 brd 10.9.8.255 scope global eth0:4
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:08:7a:41 brd ff:ff:ff:ff:ff:ff
    inet 205.166.143.254/24 brd 205.166.143.255 scope global eth1

The 10.9.8 block is what I'm using to let the routers talk to each other.

When switching the default route over to the T1, all of my firewall's
outgoing packets get a source address of 216.36.104.3 which the T1 doesn't
recognize because it's an IP from a different provider. Since the
firewall doesn't need to connect out anywhere this isn't show stopping,
but it'd be much better if it could connect out.

Red Hat's documentation says you can define a SRCADDR= in the interface
config to force the source address on packets to be something different,
but when I tried SRCADDR=205.166.143.254 it spewed errors.

Any suggestions? 

-- 
</chris>
No, no, you're not thinking, you're just being logical.
-Niels Bohr, physicist (1885-1962)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Use internal IP as srcaddr for packets on outside interface
    ... I have a Red Hat Fedora Core 1 based firewall doing some iptables ... I've been quite happy with this setup through various Red Hat ... The 10.9.8 block is what I'm using to let the routers talk to each other. ...
    (Fedora)
  • Re: Misconceptions
    ... I admit Firewalls and Routers aren't the exact same thing (of ... Personal Firewall, I wonder if that program is any good? ... > handled by anti-virus programs, which should be on ... > A NIDS is just that. ...
    (comp.security.firewalls)
  • Re: Hardware, software or both?
    ... one more question please regarding routers. ... > 2) Software firewalls are easy for the non-technical computer user to ... > of the personal firewall applications. ...
    (comp.security.firewalls)
  • Re: How to Stealth POP3 Port 110 using NIS2000?
    ... | According to the firewall log, that port is not even being probed. ... coming from your ISP's routers, ... Check out the NIS rules for POP3 and SMTP for your e-mail client software. ... "Unused Port Blocking". ...
    (comp.security.firewalls)
  • Re: [fw-wiz] OSPF on Firewall
    ... > Now I have to insert a firewall in-between the two routers. ... Forward the OSPF traffic in bridge mode with MAC address, ... Do static routing between the routers, ...
    (Firewall-Wizards)