I have a CentOS box that acts as a packet filter/firewall with iptables but the box itself isn't able to reach internet : here why :
Internet ----- public IP|ISP router|private IP ----- private IP + public IP/32 + public IP subnet/29|my CentOS fw|private network/dmz
As you can see my provider gave us a /29 public ip subnet but behind a private IP subnet (192.168.X.X/24 - used for the routing between the ISP router and the fw) I've configured my iptables/routing correctly and machines from the DMZ have no problems reaching the external world (use of SNAT in the nat table of course). The problem is that the firewall itself can't access the public network because of his private ip 192.168.X.X used for the routing between ISP router and itself. I also received a /32 public ip for the fw itself and i've added to the ethx:1 alias . Problem is that kernel always decide that (because of default gw being on the private ip 192.168.X.X) he has to use the 192.168.X.X ip address as outbond interface. So every packet leaving (so i'm talking about OUTPUT table and not about FORWARD nor nat table) the fw comes from a 192.168.X.X ip and so never comes back (which is normal). Question is : how can i "mangle" output packets to appear coming from public ip and not from 192.168.X.X ? For example , at the application layer, i can produce icmp packets with `ping -I my.public.ip/32 remote.host.on.internet` that come back but of course nothing with a traditionnal `ping remote.host.on.internet` I've had a look at arptables and tested ` arptables -A OUT -s 192.168.X.X ! -d 192.168.X.0/24 -o eth3 -j mangle --mangle-ip-s my.public.ip` but that doesn't seem to do the trick ..
Any ideas ? I just hope that it was clear enough :-p
-- Fabian Arrotin idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 6 in progress" || sh ./answer.sh