|
ebtables - sourceforge page - downloads - browse cvs - bridge - netfilter Free firewall software distributed under GNU General Public License |
||||||||||||
|
Example 3: Transparent routing with Freeswan1
This setup was given by Dominique Blas. [BDS] one can use the broute table for this too, with "-j redirect --redirect-target DROP". Bridge/router configuration
br0 (192.168.100.254)
+--------------------------------+
! ! 192.168.100.253 +----------------+
----- eth0 ------------------+ +- eth1 ---------/---------+ Router +---> Internet
agency ! ! Cross +----------------+
LAN +-------------+------------------+ Cable
!
! ipsec0
/ (192.168.100.254)
!
v
Corporate network (192.168.0.0/19)
Stations configuration
Now the challenge
One can ask why being so complicated. It's enough to configure default gateway (or a list a subnet in the routing table) on the stations to point towards the
br0 address and the router will do its job routing toward intranet or towards Internet.
Yes but imagine you have several dozens of such local stations without DHCP to manage their network configuration A solution
So ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 192.168.0.0/19 -j dnat --to-dst $MAC_ADDR_OF_IPSEC0 --dnat-target ACCEPT actually works and is enough for the challenge.
A notice on $MAC_ADDR_Of_IPSEC0. Hence this rule: ebtables -t nat -A PREROUTING -i eth0 -p ipv4 --ip-dst 192.168.0.0/19 -j dnat --to-dst $MAC_ADDR_OF_ETH1 --dnat-target ACCEPT
Of course that's the first step.
|
Last modified: Thursday, 22-Sep-2005 05:42:43 PDT.