Use iptables to force next hop

Use iptables to force next hop

[Alex Bligh]

Is it possible to use iptables to force the next hop in (e.g.) the FORWARD table?

I know it is possible to do this with 'ip rule' and friends, but for various reasons (non-proliferation of tables) I'd like to do this in just iptables if possible. Let's assume I know what I'm doing, and the effect that I want is that if the iptables rule matches, I want to set the next hop (irrespective of the routing table) to an IP address which I can guarantee is on a directly connected interface.

-- 
Alex Bligh

Re: Use iptables to force next hop

[Michal Soltys]

On 2012-11-08 22:08, Alex Bligh wrote:
> Is it possible to use iptables to force the next hop in (e.g.) the
> FORWARD table?
> 
> I know it is possible to do this with 'ip rule' and friends, but for
> various reasons (non-proliferation of tables) I'd like to do this in
> just iptables if possible. Let's assume I know what I'm doing, and the
> effect that I want is that if the iptables rule matches, I want to set
> the next hop (irrespective of the routing table) to an IP address
> which I can guarantee is on a directly connected interface.
> 

You can do hybrid of sorts - that is set mark in iptables (with all the
matching power of iptables), then use fwmark match in ip rule.

Not precisely what you're after, but gives you the same - unless of
course you want to avoid ip rule at all cost. Once in the past there was
ROUTE target, but it was dropped at some point (I think). Besides, ip
rule fwmark provides essentially the same.

Re: Use iptables to force next hop

[Torsten Luettgert]

On Thu, 08 Nov 2012 23:13:57 +0100
Michal Soltys <soltys@ziu.info> wrote:

> On 2012-11-08 22:08, Alex Bligh wrote:
> > Is it possible to use iptables to force the next hop in (e.g.) the
> > FORWARD table?
[...]
> You can do hybrid of sorts - that is set mark in iptables (with all
> the matching power of iptables), then use fwmark match in ip rule.
> 
> Not precisely what you're after, but gives you the same - unless of
> course you want to avoid ip rule at all cost. Once in the past there
> was ROUTE target, but it was dropped at some point (I think).
> Besides, ip rule fwmark provides essentially the same.

That's right, except you have to use up the mark (or, at least, a few
bits of it). I was also sad that the ROUTE target was dropped back then
and ported it a few versions up, but after 2.6.24 (iirc) it became
increasingly difficult so I switched to mark+ip rule.

One could probably look into TEE and rip out the appropriate parts, but
I lack the time.

For now, marking and using ip rule is the only option I know of.

Regards,
Torsten

Re: Use iptables to force next hop

[Alex Bligh]

On 8 Nov 2012, at 22:13, Michal Soltys wrote:

> You can do hybrid of sorts - that is set mark in iptables (with all the
> matching power of iptables), then use fwmark match in ip rule.
> 
> Not precisely what you're after, but gives you the same - unless of
> course you want to avoid ip rule at all cost. Once in the past there was
> ROUTE target, but it was dropped at some point (I think). Besides, ip
> rule fwmark provides essentially the same.

I thought there used to be a ROUTE target but had concluded I was
imagining things.

The situation is (essentially) that I have interfaces that appear and
disappear quite dynamically. iptables seems to cope well with
interfaces that disappear occasionally, whereas the routing table
stuff does not. Actually I don't need to know what interface
I am routing out of, I want to simply route anything matching
my iptables rule to a next hop with a particular IP address (however
that is reached).

So I can do that with fwmark and ip rule, with a routing table
which routes everything to one IP, but that means one routing table
per rule, which isn't going to scale quite the way I'd like (I'm
presuming generating several hundred routing tables is not a
fantastic idea).

-- 
Alex Bligh