From: David Trott <linux@davidtrott.com>
To: "rwaeger@m-logix.de" <rwaeger@m-logix.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: Problems with policy based routing
Date: Fri, 16 May 2003 17:04:31 -0700 [thread overview]
Message-ID: <1053129871.3ec57c8f445d6@www.mailshell.com> (raw)
In-Reply-To: <000147C2.3EC4D93D@192.168.206.251>
> From "rwaeger@m-logix.de" <rwaeger@m-logix.de> on 16 May 2003:
Apologies if I am stating the obvious here.
But based on your description:
> We're trying to setup a policy based Linux router to route "normal"
> services (like http(s) or ftp) over a DSL line and all other services
> (like smtp, ssh, pop3) over a leased line. The leased line router is
> listening to an official IP net. There are some internal servers (mail
> and web) which are using official IPs (but nated at Firewall-1). All
> traffic for and from these servers have to go over eth1.
It seems logical to me to configure the "main" routing tables as if the
DSL line didn't exist i.e.:
- Add routes so that any traffic for the internal network is sent via eth0.
- Add a default route that points to eth1 (the leased line) to handle
everything else.
Then create a second routing table "dslout" which handles the DSL line i.e.:
- Add routes so that any traffic for the internal network is sent via eth0.
- Add routes for any special cases that are needed on the leased line
(via eth1). Special cases are only for specific IP’s such as
administrative interfaces on routers (on the leased line).
- Add a default route that points to eth2 (the DSL line) to handle
everything else.
Add the rule using a fwmark:
ip rule add fwmark 1 table dslout
Then use iptables to mark the packets
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp --dport ftp -j MARK --set-mark 1
I know this is pretty similar to what you have already, however there
are a few changes that I would like to highlight:
- It is not necessary to specify source or destination IP addresses
in the marking rules as either routing table will handle the
packets correctly.
- I am only using one fwmark because I do not believe the second
fwmark gains anything.
- I am not adding a mangle rule for ftp-data because this will only
catch passive ftp connections.
- I am not certain but I believe that if you insmod the Linux ftp
conntrack module it should route ftp data along the same route as
the original control connection. Note: You may need to add some state
tracking rules to the FORWARD chain in order to get the conntrack module
to work correctly.
Please bear in mind that I am pretty new to this myself so what I have
said may be wrong. But hopefully it might help,
David
prev parent reply other threads:[~2003-05-17 0:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-16 10:27 Problems with policy based routing rwaeger
2003-05-16 11:33 ` Arnt Karlsen
2003-05-17 0:04 ` David Trott [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1053129871.3ec57c8f445d6@www.mailshell.com \
--to=linux@davidtrott.com \
--cc=netfilter@lists.netfilter.org \
--cc=rwaeger@m-logix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.