[LARTC] question about traffic control

[LARTC] question about traffic control

[Michiel van Es]

[-- Attachment #1: Type: text/html, Size: 1260 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question about traffic control

[Markus Schulz]

On Monday 20 February 2006 13:54, Michiel van Es wrote:
> Hi,
>  I have the following situation:
>  1 gateway box with 2 WAN interfaces (eth1 and eth2).
>  1 LAN interface eth0
>  default gateway is eth2
>  I want to route all traffic with destination protocol tcp 22 (ssh)
> NOT over the default gateway eth2 but force them to find it's route
> over eth1. All other traffic must go the normal way over eth2.
>
>  Is this possible with tc or an other tool?

yes with iproute and little help from iptables for selecting which 
packets to route differently.

look at http://www.linuxguruz.com/iptables/howto/2.4routing-11.html

and please, don't send html mails to mailing lists.

Markus Schulz
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] question about traffic control

[Martin A. Brown]

Michiel,

 : I have the following situation:
 : 1 gateway box with 2 WAN interfaces (eth1 and eth2).
 : 1 LAN interface eth0
 : default gateway is eth2
 : I want to route all traffic with destination protocol tcp 22 (ssh) NOT
 : over the default gateway eth2 but force them to find it's route over
 : eth1.
 : All other traffic must go the normal way over eth2.
 : 
 : Is this possible with tc or an other tool?

You already have an answer from Markus Schulz, but I thought I might 
add a bit of help, too.  You are describing a problem that can be 
solved with policy routing.  Linux has long supported policy 
routing.  Although I have not updated my documentation in quite some 
time, you may find this document [0] helpful in untangling the 
possible configurations to support policy routing.

In short, one solution involves:

  - [optional] making an entry in the /etc/iproute2/rt_tables file
    "grep -q secondary /etc/iproute2/rt_tables \
        || echo 3 secondary > /etc/iproute2/rt_tables"
  - adding a routing table with its default route pointed out eth1
    "ip route add default via $ETH1_GW dev eth1 table secondary"
  - marking the traffic you wish to handle differently
    "iptables [ ... selectors ... ] -j MARK --set-mark 3"
  - modifying the RPDB to include select your secondary routing 
    table for traffic with fwmark 3
    "ip rule add fwmark 3 table secondary"

That should get you most of the way there.  Remember a few 
additional tips which often stump beginners with policy routing:

  - Think about the return packets.  Are they handled according to
    your plan?
  - Turn off reverse path filtering (rp_filter) [1]
  - Make sure your (S)NAT rules are correct for packets leaving
    via eth1 (the other interface).

Good luck,

-Martin

 [0] http://linux-ip.net/html/adv-multi-internet.html
 [1] http://ipsysctl-tutorial.frozentux.net/chunkyhtml/theconfvariables.html#AEN634

-- 
Martin A. Brown --- Wonderfrog Enterprises --- martin@wonderfrog.net
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc