Outbound traffic over two interfaces by port number

Outbound traffic over two interfaces by port number

[Edwin van den Oosterkamp]

Hello All,

The requirement I have is bit unusual and unfortunately I have not found
any answers searching the archives and the Internet in general. I hope
that if it is actually possible this knowledge will be with this list. I'm
a programmer with quite a bit of experience on Linux kernel based systems,
but fairly new to netfilter specifics.

My system has two NICs (eth0 and eth1) and both are connected to different
networks. One network is for handling data streams, the other solely for
controlling. Both networks may have gateways, both networks may have
overlapping IP address ranges. Luckily, there is only a handful of ports
in use, which allows me to filter all the incoming packets and drop the
wrong type of packet (data/control traffic) from the wrong type of
interface (data/control interface). The system is not allowed to route
between the two networks.

The issue I'm having is that for outbound packets the kernel can select
the "wrong" interface - e.g. control traffic will then go out on the
data-only network (due to overlapping IP ranges or having two gateways for
example). Can I use netfilter to force/redirect these packets so that they
still go out on the "correct" interface, which in this case would be the
control-network? I can see from the port number on which interface (data
or control) the packet was supposed to go out and would like to use that
information to ensure that the packet does go out on the correct network.

I hope that I have been clear, if not then please let me know and will be
more than happy to elaborate.

Best regards,

Edwin.

Re: Outbound traffic over two interfaces by port number

[John Lister]

You might try looking at connection/packet marking.

You can use the MARK target and --set-mark to tag packets as they come 
in depending on other iptable rules (you might need to use CONNMARK to 
tag the associated conntrack tables with the mark for subsequent 
packets). Then create routing tables for each of the interfaces which 
have the correct routing information (including gateways, etc) for each 
interface. Finally set up routing rules using ip rule to check for the 
mark using the mark, (eg ip rule fwmark 1 table 1).

Hope that helps


John

Edwin van den Oosterkamp wrote:
> Hello All,
>
> The requirement I have is bit unusual and unfortunately I have not found
> any answers searching the archives and the Internet in general. I hope
> that if it is actually possible this knowledge will be with this list. I'm
> a programmer with quite a bit of experience on Linux kernel based systems,
> but fairly new to netfilter specifics.
>
> My system has two NICs (eth0 and eth1) and both are connected to different
> networks. One network is for handling data streams, the other solely for
> controlling. Both networks may have gateways, both networks may have
> overlapping IP address ranges. Luckily, there is only a handful of ports
> in use, which allows me to filter all the incoming packets and drop the
> wrong type of packet (data/control traffic) from the wrong type of
> interface (data/control interface). The system is not allowed to route
> between the two networks.
>
> The issue I'm having is that for outbound packets the kernel can select
> the "wrong" interface - e.g. control traffic will then go out on the
> data-only network (due to overlapping IP ranges or having two gateways for
> example). Can I use netfilter to force/redirect these packets so that they
> still go out on the "correct" interface, which in this case would be the
> control-network? I can see from the port number on which interface (data
> or control) the packet was supposed to go out and would like to use that
> information to ensure that the packet does go out on the correct network.
>
> I hope that I have been clear, if not then please let me know and will be
> more than happy to elaborate.
>
> Best regards,
>
> Edwin.
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>   

Re: Outbound traffic over two interfaces by port number

[Edwin van den Oosterkamp]

Hello John,

Thank you for your answer - that was an option I had not thought of, so
I'm going to investigate..

One other issue I just realised with this setup has to do with ARP. Is it
possible to ensure that control-connection related ARP requests only get
onto the control network interface and data-connection related requests
only get sent on the data network interface? Especially with the two
networks having an overlapping IP range I need to ensure that the request
goes out on the correct network interface.

Best regards,

Edwin

On Mon, June 21, 2010 14:45, John Lister wrote:
> You might try looking at connection/packet marking.
>
> John
>