Routing HTTP Through Another Link

All of lore.kernel.org
 help / color / mirror / Atom feed

* Routing HTTP Through Another Link
@ 2009-08-31 18:30 Diogo Sperb Schneider
  2009-09-01  5:55 ` Marek Kierdelewicz
  0 siblings, 1 reply; 6+ messages in thread
From: Diogo Sperb Schneider @ 2009-08-31 18:30 UTC (permalink / raw)
  To: netfilter

Greetings!

I'd like to route my HTTP traffic (ports 80 and 443) through a separate link, but I'm not sure if I must use the ROUTE target or even how to use it.
My main link has it's own static IP address, so I have SNAT doing the address translation. (working)

My second link is a dynamic-IP DSL, so I believe NAT rules will need MASQUERADE instead.

Could somebody please post a sample ruleset that does the trick?

Many thanks in advance.

Best regards,
Diogo

_________________________________________________________________
Acesse seu Hotmail de onde quer que esteja através do celular. Clique aqui.
http://www.windowslive.com.br/celular/home.asp?utm_source=MSN_Hotmail&utm_medium=Tagline&utm_campaign=MobileServices200908

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Routing HTTP Through Another Link
  2009-08-31 18:30 Routing HTTP Through Another Link Diogo Sperb Schneider
@ 2009-09-01  5:55 ` Marek Kierdelewicz
       [not found]   ` <BLU116-W61B4883A90045AEF7BDB6A2F10@phx.gbl>
  0 siblings, 1 reply; 6+ messages in thread
From: Marek Kierdelewicz @ 2009-09-01  5:55 UTC (permalink / raw)
  To: Diogo Sperb Schneider, netfilter

>Greetings!

Hello Diogo!

>I'd like to route my HTTP traffic (ports 80 and 443) through a separate
>link, but I'm not sure if I must use the ROUTE target or even how to

You can use policy routing with MARK:

iptables -t nat -A PREROUTING -i LAN_INTERFACE -m multiport --dport
80,443 -j MARK --set-mark 0x10
iptables -t nat -A POSTROUTING -o WWW_ONLY_LINK -j MASQUERADE

ip ru add fwmark 0x10 table 100 prio 100
ip ro add default via WWW_LINK_GW table 100

assumption: WWW_LINK_GW (gateway address of www-onlu link) is always
the same

Be sure to place MASQ rule before SNAT rule you've written about or
specify an output interface in SNAT rule.

You can find "ip" in "iproute2" package in any distro I think.

Best regards,
Marek

^ permalink raw reply	[flat|nested] 6+ messages in thread

[parent not found: <BLU116-W61B4883A90045AEF7BDB6A2F10@phx.gbl>]

[parent not found: <20090901135848.793936a7@catlap>]

* RE: Routing HTTP Through Another Link
       [not found]     ` <20090901135848.793936a7@catlap>
@ 2009-09-01 16:42       ` Diogo Sperb Schneider
  0 siblings, 0 replies; 6+ messages in thread
From: Diogo Sperb Schneider @ 2009-09-01 16:42 UTC (permalink / raw)
  To: netfilter

Hello, Marek!

> iptables -t mangle -A PREROUTING -i LAN_INTERFACE -m multiport --dport
> 80,443 -j ROUTE --oif WWW_ONLY_LINK
> iptables -t nat -A POSTROUTING -o WWW_ONLY_LINK -j MASQUERADE

I tried that, adding "-p tcp" on the first command, because iptables complained about it.

It didn't work, making my navigation completely stop. I don't get instant errors from the browser, but it tries to connect endlessly.

I've tried tuning a few rules and changing orders with the existing rules for the main link, but the result is the same. I'm kinda clueless about what to do next, so if you have any more tips I'd really appreciate.

By the way, the web interface doesn't allow me to specify the --oif option, just --gw so I have set it to the gateway of the alternative link. I thought the basic routing table should take care of the rest.

PS: I've just realized our conversation has gone off the list, so I'm putting it back on it again.

_________________________________________________________________
Você sabia que com o Hotmail você tem espaço ilimitado para guardar seus e-mails? Começe a usar já!
http://www.microsoft.com/brasil/windows/windowslive/products/hotmail.aspx

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Routing HTTP Through Another Link
@ 2009-09-11 14:30 Diogo Sperb Schneider
  2009-09-11 18:19 ` Diogo Sperb Schneider
  2009-09-13  6:49 ` Marek Kierdelewicz
  0 siblings, 2 replies; 6+ messages in thread
From: Diogo Sperb Schneider @ 2009-09-11 14:30 UTC (permalink / raw)
  To: netfilter

Greetings!

I gave up on that old web-based firewall and now I'm running plain
CentOS 4.8 with 3 ethernet adapters:

eth0 = LAN
eth1 = WAN
eth2 = ADSL

So I tried the following:

ip route add default via 189.30.16.65 dev eth1 table WAN # < 1 in
/etc/iproute2/rt_tables
ip route add default via 192.168.2.1 dev eth2 table ADSL # < 2 in
/etc/iproute2/rt_tables
ip rule add from all fwmark 1 table WAN
ip rule add from all fwmark 2 table ADSL
iptables -t mangle -I PREROUTING -i eth0 -p tcp --dport 80 -j MARK
--set-mark 2 # Tried with -I and -A with same effect

(Got those from the Linux Advanced Routing mini HOWTO)

Still, when I browse IP detection websites I get my WAN IP address.

Just for the record; My other relevant netfilter rules are:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
189.30.16.66 # <- my adapter's IP address
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source
192.168.2.254 # <- my adapter's IP address
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT # HTTP

Many thanks for reading!

Diogo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Routing HTTP Through Another Link
  2009-09-11 14:30 Diogo Sperb Schneider
@ 2009-09-11 18:19 ` Diogo Sperb Schneider
  2009-09-13  6:49 ` Marek Kierdelewicz
  1 sibling, 0 replies; 6+ messages in thread
From: Diogo Sperb Schneider @ 2009-09-11 18:19 UTC (permalink / raw)
  To: netfilter

Well, I ended up separating link usage between servers and
workstations, rather than by service.

A few magic words did the trick for me:

ip route add default via $WAN_IP_ADDR dev eth1 table WAN
ip route add default via $ADSL_IP_ADDR dev eth2 table ADSL
ip rule add from $SERVER_NETWORK table WAN

Thanks anyway!

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Routing HTTP Through Another Link
  2009-09-11 14:30 Diogo Sperb Schneider
  2009-09-11 18:19 ` Diogo Sperb Schneider
@ 2009-09-13  6:49 ` Marek Kierdelewicz
  1 sibling, 0 replies; 6+ messages in thread
From: Marek Kierdelewicz @ 2009-09-13  6:49 UTC (permalink / raw)
  To: Diogo Sperb Schneider; +Cc: netfilter

>Greetings!

Hello,

>So I tried the following:
>ip route add default via 189.30.16.65 dev eth1 table WAN # < 1 in
>...

Very strange it didn't work. Everything in your config seemed OK. Did
you try flushing route cache after reconfig? You can do this with "ip ro
flush cache".

Cheers
Marek

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2009-09-13  6:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-31 18:30 Routing HTTP Through Another Link Diogo Sperb Schneider
2009-09-01  5:55 ` Marek Kierdelewicz
     [not found]   ` <BLU116-W61B4883A90045AEF7BDB6A2F10@phx.gbl>
     [not found]     ` <20090901135848.793936a7@catlap>
2009-09-01 16:42       ` Diogo Sperb Schneider
  -- strict thread matches above, loose matches on Subject: below --
2009-09-11 14:30 Diogo Sperb Schneider
2009-09-11 18:19 ` Diogo Sperb Schneider
2009-09-13  6:49 ` Marek Kierdelewicz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.