[ QUOTE ]
I have one subnet (28) where the router to the internet has 1 address, my asl 1 on the external nic and another one on the dmz nic. my whole dmz has also addresses from this subnet. the default gw points of course to the router.
[/ QUOTE ]
This setup is due to missing bridging capabilities and anti spoof mechanisms not possible out of the box. But Astaro knows ProxyARP and this is very helpful in this case.
- enable ProxyARP on the external as well on the DMZ interface
- assign a phantasy IP address to the DMZ interface
- define all single IP addresses of the servers located in the DMZ
- setup static interface routes for the defined servers (can be reached via DMZ interface)
This was the easy part but now we still have the AntiSPOOF problem, there is a document http://docs.astaro.org/older_versions/ASL-V3.2/docs_v3/hacking/policy_routing.txt which describes a mechanism how to set own routes or to run own commands, let's use the information given there
- login as root
- touch /etc/rc.d/ipnat.local (the document says routes.local but...)
- chmod 400 /etc/rc.d/ipnat.local && chown root:root /etc/rc.d/ipnat.local
- joe /etc/rc.d/ipnat.local
- enter: /usr/local/bin/iptables -F SPOOF_DROP -t nat
- reboot the box
Hope I have noted everything correctly. Your feedback is really appreciated [:)]
Greetings
cyclops
