Note If you dont know what is proxy arp then stop reading this
and read this first http://en.wikipedia.org/wiki/Proxy_arp
The scenario before implementation of Proxy ARP is as bellow (Before Proxy ARP)
There is a server (10.10.10.3) on the LAN (10.10.10.0/24) that
we want to put in to DMZ. But normally if we move the server we
have to change its ip address and put it into different lan network
But by using proxy arp we can port the server to DMZ without changing
any configuration like ip address.
Before proxy ARP
|
| eth1
+-------+
|Linux |-- eth2
|Box |
+-------+
|
| eth0
| 10.10.10.0/24
|
----|---|--------|----------
| |
10.10.10.3 10.10.10.?
Server
After implementation of the Proxy arp we can put the Server directly connected to eth2
without changing its ip address.
To implement proxy ARP following steps should be followed
1.Turn on the proxy ARP option on the selected interfaces
To do this we have to put value 1 in to the proc file.
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
2. Delete Route of LAN from eth0
route del -net 10.10.10.0 netmask 255.255.255.0 dev eth0
3. Add Routes for proxy ARP
route add 10.10.10.3 dev eth0
route add -net 10.10.10.0 netmask 255.255.255.0 dev eth0
Now the Proxy ARP is working and the Systems in the LAN (10.10.10.0/24) will
be able to communicate with server (10.10.10.3) similar to what that was before
proxy arp. Now you can put the iptables rules to prevent/allow access the server if you want.
After Proxy ARP
|
| eth1
+-------+
|Linux |------- 10.10.10.3
|Box | eth2
+-------+
|
| eth0
| 10.10.10.0/24
|
----|---|--------|----
| |
4 comments:
but i want to enable proxy arp on an interface
which will listen for only configured IP address if we do echo 1> /proxy_arp will enable for all.
we need to ask user to configure interface and IP
then if any ARP request comes for this IP, ARP Proxy should respond to it.
Is there any open source daemon available or we need to write a kernel thread to listen for ARP requests for configured IPs.
I think if you use IPtables with the Proxy ARP then your need might be full filled. Though I have not tried it u might give a try.
For example...
# we assume that proxy ARP is enabled
# do not allow proxy ARP for subnet
ip arp add table forward drop to 192.168.0.0/24
# deny proxy ARP for routes via eth1
ip arp add deny table forward oif eth1
Where are you allowing proxy ARP for a particular IP say 192.168.100.1?? Can you explain the meaning of those commands??
Regards
Koteswar
Do you mean
>3. Add Routes for proxy ARP
>
route add 10.10.10.3 dev eth2
> route add -net 10.10.10.0 netmask 255.255.255.0 dev eth0
ie that we should route things destined for the DMZ machine 10.10.10.3 to the eth2 interface, and the rest to eth0 LAN?
Post a Comment