* Routing packets with IPTABLES?
@ 2003-02-10 17:34 Reginald NALLARATNAM
0 siblings, 0 replies; 2+ messages in thread
From: Reginald NALLARATNAM @ 2003-02-10 17:34 UTC (permalink / raw)
To: netfilter
Hello,
Hardware Layout:
Firewall #1: (Linux Box)
I have a linux box with 2 nics.
eth1 @ 192.168.20.1
eth0 @ 192.168.30.2
Gateway: 192.168.30.1
Firewall # 2: (Some other router)
interface 1: 192.168.20.2
interface 2: 192.168.30.2
Gateway: 192.168.30.1
Web server:
192.168.20.100
Gateway: 192.168.20.2 (Firewall # 2)
Gateway - is someother Firewall/Router that allows both firewall #1 and #2 to connect to the internet.
192.168.30.1
Question:
Is there a way to route incomming packets from the gateway to eth0 on firewall #1 based on source IP and destination Port to the web server @ 192.168.20.100?
The only way this will work if Firewall # 1 routes or forwards the packets to web server without connection tracking, since the return answer from web server will go through firewall # 2.
Could some give me an example or the command to do this using iptables, if not how else can this be done?
Thanks in advance.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Routing packets with IPTABLES?
@ 2003-02-11 17:17 Cedric de Launois
0 siblings, 0 replies; 2+ messages in thread
From: Cedric de Launois @ 2003-02-11 17:17 UTC (permalink / raw)
To: Reginald NALLARATNAM; +Cc: netfilter
> Question:
> Is there a way to route incomming packets from the gateway to eth0 on
> firewall #1 based on source IP and destination Port to the web server
> @ 192.168.20.100?
> The only way this will work if Firewall # 1 routes or forwards the
> packets to web server without connection tracking, since the return
> answer from web server will go through firewall # 2.
I didn't well understood what you are doing but I think the ROUTE
target can help you. This target is available from the CVS. An older
version is in iptables-1.2.7a with patch-o-matic-20020825 (NOT the
latest pom). It is an /extra patch.
A description of the target in CVS is :
This option adds a `ROUTE' target, which enables you to setup unusual
routes not supported by the standard kernel routing table.
For example, the ROUTE lets you directly route a received packet through
an interface or towards a host, even if the regular destination of the
packet is the router itself. The ROUTE target is also able to change the
incoming interface of a packet.
This target does never modify the packet and is a final target.
It has to be used inside the mangle table.
ROUTE target options:
--oif ifname Send the packet out using `ifname' network interface.
--iif ifname Change the packet's incoming interface to `ifname'.
--gw ip Route the packet via this gateway.
Examples :
To redirect all outgoing icmp packet to the eth1 interface :
# iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
To tunnel all incoming http packets :
# iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1
To force the next-hop used for ssh packets :
# iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
To change the incoming network interface from eth0 to eth1 for icmp packets :
# iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-02-11 17:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-10 17:34 Routing packets with IPTABLES? Reginald NALLARATNAM
-- strict thread matches above, loose matches on Subject: below --
2003-02-11 17:17 Cedric de Launois
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.