Redirecting flows among one machine's interfaces

Redirecting flows among one machine's interfaces

[Kostas Pelechrinis]

Hi all,

I am not very familiar with iptables, but what I am trying to achieve is the following:

I have a machine with two interfaces (let's say if1 -- with ip address a.b.c.d -- and if2 -- with ip address x.y.z.w) both connected to the internet. One of the two interfaces is the default interface (e.g., if1).  Whatever flow is initiated towards a destination in the Internet is going out if1.  I want to use iptables in order to redirect some of the flows to if2.  Is there a way to do this using iptables?  

I have tried some rules (e.g., iptables -A FORWARD -d k.l.m.n -o if2 -j ACCEPT // where k.l.m.n is the destination ip address of the flow I want to redirect) but with no luck.  From what I could figure out the rule FORWARD is mainly for packets that go through the machine and not that much for packets originating from the machine.  Is there a way to perform what I want with iptables ?  Given that this is possible, another question is weather iptables changing the source ip address from a.b.c.d to x.y.z.w or not.

Thanks a lot and hopefully someone can seed light on this.

Best,
Kostas


      

Re: Redirecting flows among one machine's interfaces

[Jan Engelhardt]

On Tuesday 2010-11-09 23:59, Kostas Pelechrinis wrote:

>Hi all,
>
>I am not very familiar with iptables, but what I am trying to achieve 
>is the following:
>
>I have a machine with two interfaces (let's say if1 -- with ip address 
>a.b.c.d -- and if2 -- with ip address x.y.z.w) both connected to the 
>internet. One of the two interfaces is the default interface (e.g., 
>if1).  Whatever flow is initiated towards a destination in the Internet 
>is going out if1.  I want to use iptables in order to redirect some of 
>the flows to if2.  Is there a way to do this using iptables?

Using -j MARK and iproute2 policy routing.

>I have tried some rules (e.g., iptables -A FORWARD -d k.l.m.n -o if2 -j 
>ACCEPT // where k.l.m.n is the destination ip address of the flow I 
>want to redirect) but with no luck.

Well guess why: it _tests_ whether the outgoing interface is (already) 
if2.

Re: Redirecting flows among one machine's interfaces

[Kostas Pelechrinis]

Thanks a lot.  I am checking iproute2 now but can you give any pointers/hints.

Thanks a lot,
Kostas

--- On Tue, 11/9/10, Jan Engelhardt <jengelh@medozas.de> wrote:

> From: Jan Engelhardt <jengelh@medozas.de>
> Subject: Re: Redirecting flows among one machine's interfaces
> To: "Kostas Pelechrinis" <kpele_ntua@yahoo.com>
> Cc: netfilter@vger.kernel.org
> Date: Tuesday, November 9, 2010, 6:33 PM
> On Tuesday 2010-11-09 23:59, Kostas
> Pelechrinis wrote:
> 
> >Hi all,
> >
> >I am not very familiar with iptables, but what I am
> trying to achieve 
> >is the following:
> >
> >I have a machine with two interfaces (let's say if1 --
> with ip address 
> >a.b.c.d -- and if2 -- with ip address x.y.z.w) both
> connected to the 
> >internet. One of the two interfaces is the default
> interface (e.g., 
> >if1).  Whatever flow is initiated towards a
> destination in the Internet 
> >is going out if1.  I want to use iptables in order
> to redirect some of 
> >the flows to if2.  Is there a way to do this using
> iptables?
> 
> Using -j MARK and iproute2 policy routing.
> 
> >I have tried some rules (e.g., iptables -A FORWARD -d
> k.l.m.n -o if2 -j 
> >ACCEPT // where k.l.m.n is the destination ip address
> of the flow I 
> >want to redirect) but with no luck.
> 
> Well guess why: it _tests_ whether the outgoing interface
> is (already) 
> if2.
> 


      

Re: Redirecting flows among one machine's interfaces

[Pascal Hambourg]

Hello,

Kostas Pelechrinis a écrit :
> 
> I have a machine with two interfaces (let's say if1 -- with ip address
> a.b.c.d -- and if2 -- with ip address x.y.z.w) both connected to the
> internet. One of the two interfaces is the default interface (e.g., if1).
>  Whatever flow is initiated towards a destination in the Internet is
> going out if1.  I want to use iptables in order to redirect some of the
> flows to if2.  Is there a way to do this using iptables?  

This is a FAQ. You will find useful information in the Linux Advanced
Routing and Traffic Control (LARTC) HOWTO.

> I have tried some rules (e.g., iptables -A FORWARD -d k.l.m.n -o if2
> -j ACCEPT // where k.l.m.n is the destination ip address of the flow I
> want to redirect) but with no luck.  From what I could figure out the
> rule FORWARD is mainly for packets that go through the machine and not
> that much for packets originating from the machine.

Indeed. Besides, the rule justs matches packets going out through the
interface if2. It does not have any effect on the routing decision,
which took place before the FORWARD chain.

> another question is weather iptables changing the source ip address
> from a.b.c.d to x.y.z.w or not.

Iptables does not change the source address implicitly as a result of a
rerouting decision. You have to do it explicitly with rules using SNAT
or MASQUERADE.