Re: iptables firewall and forwarding.

From: Glynn Clements (
Date: 10/22/02

From: Glynn Clements <>
Date: Tue, 22 Oct 2002 05:05:26 +0100
To: "Sheldon Lee Wen" <>

Sheldon Lee Wen wrote:

> I'm in a big bind. Our raptor firewall is toast,
> That said, now my boss wants to put in a linux firewall.
> The dev servers are on network and the developer workstations
> are on yyy.yyy.yyy.yyy
> I have the box on both networks and masquerading, so that you can go from the
> developer workstations to the development servers. However, the development
> servers use to be on the yyy.yyy.yyy.yyy and the raptor firewall has been
> forwarding their old yyy.yyy.yyy.yyy addresses to the
> addresses, but the raptor firewall is not the router or gateway for the
> yyy.yyy.yyy.yyy network. So, I'm not sure how I can do that on Linux. Has the
> raptor firewall been acting as a router as well? Do I need routed on Linux?
> How do I do this on linux?

So the workstations think that the servers are on the same network? If
that's the case, you need to use proxy-ARP on the firewall (or,
preferably, just reconfigure the workstations to use the new addresses
for the servers).

Also, the "firewall" is already acting as a router. And, in any case,
you don't need a routing daemon (routed, gated etc) in order to
perform routing. A routing daemon exchanges routing information with
other routing daemons and updates the local routing table

On a large network, or one where routes change regularly, routing
daemons eliminate the need to update routing tables manually. On a
small network where the routes change infrequently, using a routing
daemon isn't worth the effort involved in installation and

Glynn Clements <>