lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 28 Nov 2011 15:39:01 +0100
From:	David Lamparter <equinox@...c24.net>
To:	Greg Scott <GregScott@...rasupport.com>
Cc:	netdev@...r.kernel.org
Subject: Re: ebtables on a stick

On Sun, Nov 27, 2011 at 09:10:08AM -0600, Greg Scott wrote:
> I have a situation that needs to route mostly and bridge only a little bit.  
> 
> I have a private internal LAN, 192.168.10.nnn.  But one host in the internal side needs a real public IP Address, call it 1.2.115.157.  Everything except that public IP host needs to route.  The public host needs to bridge so it can interact with the world.  But it also needs to interact with the internal LAN.  
> 
> I have a Linux brouter set up with eth0 facing the Internet, eth1 facing the LAN as follows:
> 
> ifconfig eth0 1.2.115.146 mask 255.255.255.240
> ifconfig eth1 192.168.10.1 mask 255.255.255.0
[...]

This doesn't answer your question, but your use case is better solved
with proxy arp.

ip route add 1.2.115.157/32 dev eth1
ip neigh add proxy 1.2.115.157 dev eth0
# ... adjust iptables rules to make sure traffic is allowed
# optional, but I'd recommend:
iptables -t raw -I PREROUTING -d 1.2.115.157 -j NOTRACK
iptables -t raw -I PREROUTING -s 1.2.115.157 -j NOTRACK

on the target host:

ip addr add 1.2.115.157/32 dev ethX
ip route add 192.168.10.1/24 dev ethX
ip route add default via 192.168.10.1

no bridge, no ebtables.

you may need to tweak shared_media/icmp redirect settings on the router,
should work as-is though.


-David
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ