proxy ARPing - was Re: [Wylug-help] Possible IP subnet conflict

Gary Stainburn gary.stainburn at ringways.co.uk
Tue, 14 Jan 2003 12:05:02 +0000 

On Monday 23 Dec 2002 5:38 pm, J Hodrien wrote:
> On 19 Dec 2002, Nigel Metheringham wrote:
> > On Thu, 2002-12-19 at 11:01, Gary Stainburn wrote:
> > > Hi Folks,
> > >
> > > one possible solution I've thought of for this problem is proxy ARPing.
> > >  Would it be possible to get the Linux firewall respond to ARP requests
> > > for the remote 10.1.0.x IP addresses, and then get it to forward them
> > > to the remote end.  In this way, there would be no need to change any
> > > routing information.
> >
> > That certainly can be done - and I have done it - but only for single IP
> > addresses.  You would need to put a full set (ie up to 255) arp entries
> > into the table - probably not a problem, but get any bigger and it would
> > be.
>
> Whoa.  It's actually loads easier than that.  I've just done it recently to
> lever out a subnet without having to change routing information.  From
> memory, you'll be wanting to look at /proc/sys/net/ipv4/conf/eth?/proxy-arp
> or something similar.  It simply proxies arp requests from one interface to
> the others.  Worked first time, and have it working for a subnet.  Work
> involved does not change with more machines.
>
> jh

Hi John, all

I'm just about to set up a test system to try this out.

I'm going to have a Linux box on my network with IP address 10.1.1.20/16 on
eth0.

It's going to have IP address 192.168.1.1/24 on eth1 connected via a
cross-over to another Linux box pretending to be a pair of Cisco routers,
then via another cross-over to a destination host on 10.1.0.34 pretending to
be their web server.

Questions:

Which kernel version did you use?
How do I set up the ARP proxying for 10.1.0.x?
How can I NAT the traffic for 10.1.0.x and route it through the cisco box
while not stuffing the rest of the 10.1.x.x network on eth0?

(I need the traffic NATing so that the other end knows to return the traffic
to my box)?

Is this something I can configure into a Smoothwall/IPCOPs style distribution
or do I need a cut-down RH dist for the job?

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000