Jack Knowlton a écrit :
>
> {Debian}
> ppp0: bridge interface (PPPoE via eth0)
ppp0 is a PPP(oE) interface, not a bridge interface.
> eth1: LAN with public IP interface (xxx.xxx.xxx.153)
> eth2: LAN with private IP interface (10.0.1.2)
>
> {server2}
> eth0: LAN with public IP (in /29 subnet)
> eth1: LAN with private IP (10.0.1.3)
>
> {server3}
> same as server2
Why do you need some servers to have an interface in the private LAN ?
> {AP}
> eth0: LAN with private IP (10.0.1.5)
>
>
> What I want is that {Debian} does not do NAT on the LAN with public
> addressing (just route the connections to the appropriate servers) but do
> it for the LAN with private adresses,
In your iptables ruleset, just add "-s <private_subnet_prefix>" in the
SNAT or MASQUERADE rules, so only the private addresses are masqueraded.
> so that wifi clients can stay secure.
NAT is *not* for security. Netfilter NAT does *not* provide any
filtering. The use of private addresses breaks end-to-end connectivity,
and NAT just allows to restore a partial connectivity. Broken
connectivity may be seen as some sort of security, though, but not the
NAT itself...
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment