Re: How to use TROXY target only for specific outgoing interface

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: Sebastian Poehn <sebastian.poehn@googlemail.com>
Cc: Jan Engelhardt <jengelh@inai.de>, netfilter@vger.kernel.org
Subject: Re: How to use TROXY target only for specific outgoing interface
Date: Mon, 14 Jan 2013 00:33:08 +0200	[thread overview]
Message-ID: <50F33624.3010208@ngtech.co.il> (raw)
In-Reply-To: <1358095169.1668.9.camel@localhost.localdomain>

If you would give an ip example rather then a sketch I think I have an 
idea on how to do it using some local routing daemon on the router machine.

Another thing to notice is that if you are using tproxy it should be 
used based on a known network data or globally with specific exceptions.
else then these situation you will need to plan some iptables structure 
to fit maybe ipset or any other way of organizing the dynamic tproxy rules.

Eliezer

On 1/13/2013 6:39 PM, Sebastian Poehn wrote:
> For a simple setup this is more than sufficient. But I want to realize
> something with dynamic routing. So to clarify:
>
>          ospf            lan1 ############
> local3 <----> local1 <-------#  ROUTER  # wan
>                               #    +     #-------------> internet
>                local2 <-------#  TPROXY  #
>                          lan2 ############
>
> For me it's not possible to even know every subnet which is on the local
> side. It would even be possible that there is a multi-homed environment
> with e.g. local3 connected to the internet, too. (Thank means that even
> a non-local destination could go from local2, via lan2, lan1, local1 and
> local3 to the "internet" ).
>
> Thank for your reply Jan

next prev parent reply	other threads:[~2013-01-13 22:33 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-01-13  8:54 How to use TROXY target only for specific outgoing interface Sebastian Poehn
2013-01-13 11:30 ` Jan Engelhardt
2013-01-13 16:39   ` Sebastian Poehn
2013-01-13 22:33     ` Eliezer Croitoru [this message]
2013-01-14 19:12       ` Sebastian Poehn
2013-01-15 12:02         ` Eliezer Croitoru
2013-01-15 18:37           ` Sebastian Poehn
2013-01-15 18:54             ` Eliezer Croitoru

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50F33624.3010208@ngtech.co.il \
    --to=eliezer@ngtech.co.il \
    --cc=jengelh@inai.de \
    --cc=netfilter@vger.kernel.org \
    --cc=sebastian.poehn@googlemail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox