From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: Sebastian Poehn <sebastian.poehn@googlemail.com>
Cc: jengelh@inai.de, netfilter@vger.kernel.org
Subject: Re: How to use TROXY target only for specific outgoing interface
Date: Tue, 15 Jan 2013 14:02:40 +0200 [thread overview]
Message-ID: <50F54560.4080200@ngtech.co.il> (raw)
In-Reply-To: <1358190735.2257.12.camel@localhost.localdomain>
On 1/14/2013 9:12 PM, Sebastian Poehn wrote:
> I've drawn a new picture. We want to connect from Node 1 to the 'internet'. All traffic via wan1 shall be proxied, traffic over lan1 not.
>
> The only valid match for this situation is the outgoing interface ( oif == wan1 do proxy, else no proxy). It is not possible to match for
> dst networks, as routing metrics may change and so even the use of wan1 or wan2 (for the uplink).
>
> I can not -A POSTROUTING -o wan1 -j TPROXY as TPROXY must be called in PREROUTING (there -o is not present).
>
> internet
> ____________________________________
> A A
> |wan1 |wan2
> | |
> ######### ######### #########
> #ROUTER1# lan1 #ROUTER2# lan3 #ROUTER3#
> # + #<----># #<----># #
> #TPROXY # igp # # igp # #
> ######### ######### #########
> |
> | lan2
> |
> #########
> # NODE 1#
> # #
> # #
> #########
>
>
Hey there,
Thanks for the new picture.
I understand what is your problem since it's a very common concept.
But you must understand that most of TPROXY systems are very static.
Take a deep breath and accept(like a server\socket) that the connections
can be intercepted only in a prerouting table.
what I do suggest you is to use a synamic ipset to allow you this
specific thing you need.
Since you can only use ip addresses as a match in the prerouting or an
incoming interface.
Your problem is that you are using IGP which limits you to a specific
protocol which I think BIRD or QUAGGA doesn't work with.
What you can do if it was another protocol is to run a cron task every
once in a while to make sure the routing tables are still the same or
not and in a case of change to update an ipset that you will use to
either bypass or intercept the traffic into.
If you are working with ROUTING protocols it should be simple to know
what traffic is being routed to WAN1.
Best regards,
Eliezer
next prev parent reply other threads:[~2013-01-15 12:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-13 8:54 How to use TROXY target only for specific outgoing interface Sebastian Poehn
2013-01-13 11:30 ` Jan Engelhardt
2013-01-13 16:39 ` Sebastian Poehn
2013-01-13 22:33 ` Eliezer Croitoru
2013-01-14 19:12 ` Sebastian Poehn
2013-01-15 12:02 ` Eliezer Croitoru [this message]
2013-01-15 18:37 ` Sebastian Poehn
2013-01-15 18:54 ` Eliezer Croitoru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50F54560.4080200@ngtech.co.il \
--to=eliezer@ngtech.co.il \
--cc=jengelh@inai.de \
--cc=netfilter@vger.kernel.org \
--cc=sebastian.poehn@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.