Re: Linux Kernel 2.4.10, arp -s doesn't work?

To:	<nfudd@xxxxxxxxxxxx>
Subject:	Re: Linux Kernel 2.4.10, arp -s doesn't work?
From:	"Matthew G. Marsh" <mgm@xxxxxxxxxxxxx>
Date:	Fri, 19 Oct 2001 10:23:39 -0500 (CDT)
Cc:	<netdev@xxxxxxxxxxx>
In-reply-to:	<Pine.LNX.4.33.0110181606470.20148-100000@xxxxxxxxxxxx>
Sender:	owner-netdev@xxxxxxxxxxx

On Thu, 18 Oct 2001 nfudd@xxxxxxxxxxxx wrote:

> Hello!
>
> I'm having a problem with proxy arp.  In short, I can't make it work:

[snip]

> The application: this is a firewall, using NAT.  I'm trying to give some
> folks behind the firewall full access to the world, and vice versa.  Yes,
> this is not good, security-wise, but customers get what customers want.
>
> The machines behind the firewall can't use the automatic proxy arp
> feature in the kernel because their ips aren't real, and wouldn't make
> much sense on the outside.

Not proxy arp. Proxy arp is arp on behalf of an _existing_ address located
elsewhere. You are merely trying to do One-2-One NAT. See below.

> The solution I have to use:
>   IP3=2.2.2.3

>   ifconfig eth0:3 $IP3

Do not use coloned interfaces. Deprecated. Should be removed already.
Instead use:

   ip addr add ${IP3}/32 dev eth0

Then arp will work correctly and so will the following NAT.

>   iptables -A PREROUTING -t nat -d $IP3 -j DNAT --to 10.10.10.191
>   iptables -A POSTROUTING -t nat -s 10.10.10.191 -j SNAT --to-source $IP3
>
> This is the only way I can see of getting arp replies to be sent, and
> it looks evil.

Must be so. You are _not_ doing proxy arp. Proxy arp would be if you
actually had one of the customers machines assigned the 2.2.2.3 address
for real.

[snip]

> I'm assuming that since 'arp -an' shows the entry, the linux kernel
> got the information, and the bug is in the kernel.

Yes and no. The entry is made but there is no route to the address because
the address does not exist. Make it exist and give a route entry or just
assign the address to the interface.

> In short, is this a bug?  Or am I doing something wrong?

Not a bug. ;-} Definitions are exact. Proxy arp is for a machine that
exists and has address assigned. 1-2-1 NAT is for case you are doing.

> --
> N Fudd -- nfudd@xxxxxxxxxxxx
> I heard that if you play the Windows CD backward, you get a satanic message.
> But that's nothing compared to when you play it forward: It installs Windows.

--------------------------------------------------
Matthew G. Marsh,  President
Paktronix Systems LLC
1506 North 59th Street
Omaha  NE  68104
Phone: (402) 932-7250 x101
Email: mgm@xxxxxxxxxxxxx
WWW:  http://www.paktronix.com
--------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Linux Kernel 2.4.10, arp -s doesn't work?, nfudd Re: Linux Kernel 2.4.10, arp -s doesn't work?, Matthew G. Marsh <= Re: Linux Kernel 2.4.10, arp -s doesn't work?, nfudd Re: Linux Kernel 2.4.10, arp -s doesn't work?, Matthew G. Marsh Re: Linux Kernel 2.4.10, arp -s doesn't work?, nfudd Re: Linux Kernel 2.4.10, arp -s doesn't work?, Matthew G. Marsh Re: Linux Kernel 2.4.10, arp -s doesn't work?, nfudd Re: Linux Kernel 2.4.10, arp -s doesn't work?, kuznet Re: Linux Kernel 2.4.10, arp -s doesn't work?, Martin Josefsson

Previous by Date:	Linux Kernel 2.4.10, arp -s doesn't work?, nfudd
Next by Date:	Re: Linux Kernel 2.4.10, arp -s doesn't work?, kuznet
Previous by Thread:	Linux Kernel 2.4.10, arp -s doesn't work?, nfudd
Next by Thread:	Re: Linux Kernel 2.4.10, arp -s doesn't work?, nfudd
Indexes:	[Date] [Thread] [Top] [All Lists]