[CentOS] OT : iptables/arptables question

Fabian Arrotin fabian.arrotin at arrfab.net
Tue Jan 27 13:16:00 UTC 2009

I have a CentOS box that acts as a packet filter/firewall with iptables but
the box itself isn't able to reach internet : here why : 

Internet ----- public IP|ISP router|private IP  ----- private IP + public
IP/32 + public IP subnet/29|my CentOS fw|private network/dmz

As you can see my provider gave us a /29 public ip subnet but behind a
private IP subnet (192.168.X.X/24 - used for the routing between the ISP
router and the fw)
I've configured my iptables/routing correctly and machines from the DMZ
have no problems reaching the external world (use of SNAT in the nat table
of course).
The problem is that the firewall itself can't access the public network
because of his private ip 192.168.X.X used for the routing between ISP
router and itself.
I also received a /32 public ip for the fw itself and i've added to the
ethx:1 alias . Problem is that kernel always decide that (because of
default gw being on the private ip 192.168.X.X) he has to use the
192.168.X.X ip address as outbond interface. So every packet leaving (so
i'm talking about OUTPUT table and not about FORWARD nor nat table) the fw
comes from a 192.168.X.X ip and so never comes back (which is normal).
Question is : how can i "mangle" output packets to appear coming from
public ip and not from 192.168.X.X ? 
For example , at the application layer, i can produce icmp packets with
`ping -I my.public.ip/32 remote.host.on.internet` that come back but of
course nothing with a traditionnal `ping remote.host.on.internet`
I've had a look at arptables and tested ` arptables -A OUT -s 192.168.X.X !
-d  192.168.X.0/24 -o eth3 -j mangle --mangle-ip-s my.public.ip` but that
doesn't seem to do the trick ..

Any ideas ? 
I just hope that it was clear enough :-p
 Fabian Arrotin
 idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 6 in
progress" || sh ./answer.sh 

More information about the CentOS mailing list