* Route traffic per protocol - it is possible?
@ 2005-06-07 16:55 Gustavo Castro Puig
2005-06-07 18:49 ` Kenneth Kalmer
0 siblings, 1 reply; 2+ messages in thread
From: Gustavo Castro Puig @ 2005-06-07 16:55 UTC (permalink / raw)
To: netfilter
Hi, list!
I've got an issue to resolve and I want to know if it's possible to do
it with netfilter/iproute2. I've been googling for some time, but I
couldn't find the way to do this (may be I'm not searching the correct
way), so any help from you will be *VERY* appreciated.
I have a firewall with two links, on direct to Internet and another (to
internet too) through another firewall. All traffic is now going to
Internet through the other firewall, but I want to know if it's possible
to send some traffic (not all) through the direct link to Internet. I
don't want to redirect all traffic coming from some IPs, intead, I want
to redirect only SSH traffic (for example) from the box through the
direct link and all other traffic to the other firewall. Something like
a "per-protocol routing policy". I've been trying with iproute2 and
iptables, marking packets and routing them with two routing tables, but
it didn't work.
The firewall have two nic, one (eth0) with an address 192.168.0.15 and
the other (eth1) with the public address.
This is what I've done:
------------------------------------------------------------------------
ip route flush table NEW
ip route add 192.168.0.0/24 dev eth0 table NEW
ip route add default via XXX.XXX.XXX.XXX table NEW dev eth1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
ip rule add fwmark 1 table NEW
ip rule add from XXX.XXX.XXX.XXX table NEW
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
------------------------------------------------------------------------
None of this lines generate errors.
May be this is not possible, but if it is, how could be done?
Thanks in advance!
Cheers,
G.Castro P.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Route traffic per protocol - it is possible?
2005-06-07 16:55 Route traffic per protocol - it is possible? Gustavo Castro Puig
@ 2005-06-07 18:49 ` Kenneth Kalmer
0 siblings, 0 replies; 2+ messages in thread
From: Kenneth Kalmer @ 2005-06-07 18:49 UTC (permalink / raw)
To: Gustavo Castro Puig; +Cc: netfilter
On 6/7/05, Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:
> Hi, list!
>
> I've got an issue to resolve and I want to know if it's possible to do
> it with netfilter/iproute2. I've been googling for some time, but I
> couldn't find the way to do this (may be I'm not searching the correct
> way), so any help from you will be *VERY* appreciated.
> I have a firewall with two links, on direct to Internet and another (to
> internet too) through another firewall. All traffic is now going to
> Internet through the other firewall, but I want to know if it's possible
> to send some traffic (not all) through the direct link to Internet. I
> don't want to redirect all traffic coming from some IPs, intead, I want
> to redirect only SSH traffic (for example) from the box through the
> direct link and all other traffic to the other firewall. Something like
> a "per-protocol routing policy". I've been trying with iproute2 and
> iptables, marking packets and routing them with two routing tables, but
> it didn't work.
I'm not an expert, nor have I done this myself. But from replies by
members of the list and some reading up over the months I'd recommend
using the ROUTE target.
<man iptables>
ROUTE
This is used to explicitly override the core network stack's
routing decision. mangle table.
--oif ifname
Route the packet through ifname network interface
--iif ifname
Change the packet's incoming interface to ifname
--gw IP_address
Route the packet via this gateway
--continue
Behave like a non-terminating target and continue
traversing the rules. Not valid in combination with --iif
</man iptables>
So, let's say ppp0 and ppp1 are your links, and everything defaults to
ppp0. You want ssh to go over ppp1, try one of these:
iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --oif ppp1
- or -
iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --gw 1.1.1.1
In the above example, 1.1.1.1 is the gateway IP of ppp1.
To the other members, can the above be combined in one shot? Providing
both the interface and the gateway IP?
HTH, I haven't tried this myself...
> The firewall have two nic, one (eth0) with an address 192.168.0.15 and
> the other (eth1) with the public address.
> This is what I've done:
>
> ------------------------------------------------------------------------
> ip route flush table NEW
> ip route add 192.168.0.0/24 dev eth0 table NEW
> ip route add default via XXX.XXX.XXX.XXX table NEW dev eth1
>
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> ip rule add fwmark 1 table NEW
>
> ip rule add from XXX.XXX.XXX.XXX table NEW
>
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
> ------------------------------------------------------------------------
> None of this lines generate errors.
> May be this is not possible, but if it is, how could be done?
> Thanks in advance!
>
> Cheers,
> G.Castro P.
>
>
>
>
--
Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-06-07 18:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-07 16:55 Route traffic per protocol - it is possible? Gustavo Castro Puig
2005-06-07 18:49 ` Kenneth Kalmer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.