Re: Re: Route traffic per protocol - it is possible?

Re: Re: Route traffic per protocol - it is possible?

[Gustavo Castro Puig]

Kenneth:

  It's almost sure to work... but I don't have one of the latest version
of iptables (which includes this feature), so I can't make it that
way... :-(
  Anyway, I should update my netfilter...
  I'll check it!
  Thank you, Keneth, and if anybody have any other way to do this, will be
appreciated too!

Cheers,
     G.Castro P.

> On 6/7/05, Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:
>> Hi, list!
>>
>>   I've got an issue to resolve and I want to know if it's possible to do
>> it with netfilter/iproute2. I've been googling for some time, but I
>> couldn't find the way to do this (may be I'm not searching the correct
>> way), so any help from you will be *VERY* appreciated.
>>   I have a firewall with two links, on direct to Internet and another
>> (to
>> internet too) through another firewall. All traffic is now going to
>> Internet through the other firewall, but I want to know if it's possible
>> to send some traffic (not all) through the direct link to Internet. I
>> don't want to redirect all traffic coming from some IPs, intead, I want
>> to redirect only SSH traffic (for example) from the box through the
>> direct link and all other traffic to the other firewall. Something like
>> a "per-protocol routing policy". I've been trying with iproute2 and
>> iptables, marking packets and routing them with two routing tables, but
>> it didn't work.
>
> I'm not an expert, nor have I done this myself. But from replies by
> members of the list and some reading up over the months I'd recommend
> using the ROUTE target.
>
> <man iptables>
>    ROUTE
>        This is used to explicitly override the core network stack's
> routing decision.  mangle table.
>
>        --oif ifname
>               Route the packet through ifname network interface
>
>        --iif ifname
>               Change the packet's incoming interface to ifname
>
>        --gw IP_address
>               Route the packet via this gateway
>
>        --continue
>               Behave like a non-terminating target and continue
> traversing the rules.  Not valid in combination with --iif
> </man>
>
> So, let's say ppp0 and ppp1 are your links, and everything defaults to
> ppp0. You want ssh to go over ppp1, try one of these:
>
> iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --oif ppp1
> - or -
> iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --gw 1.1.1.1
>
> In the above example, 1.1.1.1 is the gateway IP of ppp1.
>
> To the other members, can the above be combined in one shot? Providing
> both the interface and the gateway IP?
>
> HTH, I haven't tried this myself...
>
>>   The firewall have two nic, one (eth0) with an address 192.168.0.15 and
>> the other (eth1) with the public address.
>>   This is what I've done:
>>
>> ------------------------------------------------------------------------
>> ip route flush table NEW
>> ip route add 192.168.0.0/24 dev eth0 table NEW
>> ip route add default via XXX.XXX.XXX.XXX table NEW dev eth1
>>
>> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>
>> ip rule add fwmark 1 table NEW
>>
>> ip rule add from XXX.XXX.XXX.XXX table NEW
>>
>> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
>> ------------------------------------------------------------------------
>>   None of this lines generate errors.
>>   May be this is not possible, but if it is, how could be done?
>>   Thanks in advance!
>>
>> Cheers,
>>      G.Castro P.
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
>

Re: Re: Route traffic per protocol - it is possible?

[Scott]

It doesn't, at least not with 1.2.11, here is the
error:

iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more
information.

tested with a 2.6.11 kernel.

--- Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:

> Kenneth:
> 
>   It's almost sure to work... but I don't have one
> of the latest version
> of iptables (which includes this feature), so I
> can't make it that
> way... :-(
>   Anyway, I should update my netfilter...
>   I'll check it!
>   Thank you, Keneth, and if anybody have any other
> way to do this, will be
> appreciated too!
> 
> Cheers,
>      G.Castro P.
> 
> > On 6/7/05, Gustavo Castro Puig
> <gcastro@gcp.com.uy> wrote:
> >> Hi, list!
> >>
> >>   I've got an issue to resolve and I want to know
> if it's possible to do
> >> it with netfilter/iproute2. I've been googling
> for some time, but I
> >> couldn't find the way to do this (may be I'm not
> searching the correct
> >> way), so any help from you will be *VERY*
> appreciated.
> >>   I have a firewall with two links, on direct to
> Internet and another
> >> (to
> >> internet too) through another firewall. All
> traffic is now going to
> >> Internet through the other firewall, but I want
> to know if it's possible
> >> to send some traffic (not all) through the direct
> link to Internet. I
> >> don't want to redirect all traffic coming from
> some IPs, intead, I want
> >> to redirect only SSH traffic (for example) from
> the box through the
> >> direct link and all other traffic to the other
> firewall. Something like
> >> a "per-protocol routing policy". I've been trying
> with iproute2 and
> >> iptables, marking packets and routing them with
> two routing tables, but
> >> it didn't work.
> >
> > I'm not an expert, nor have I done this myself.
> But from replies by
> > members of the list and some reading up over the
> months I'd recommend
> > using the ROUTE target.
> >
> > <man iptables>
> >    ROUTE
> >        This is used to explicitly override the
> core network stack's
> > routing decision.  mangle table.
> >
> >        --oif ifname
> >               Route the packet through ifname
> network interface
> >
> >        --iif ifname
> >               Change the packet's incoming
> interface to ifname
> >
> >        --gw IP_address
> >               Route the packet via this gateway
> >
> >        --continue
> >               Behave like a non-terminating target
> and continue
> > traversing the rules.  Not valid in combination
> with --iif
> > </man>
> >
> > So, let's say ppp0 and ppp1 are your links, and
> everything defaults to
> > ppp0. You want ssh to go over ppp1, try one of
> these:
> >
> > iptables -t mangle -A PREROUTING --dport 22 -j
> ROUTE --oif ppp1
> > - or -
> > iptables -t mangle -A PREROUTING --dport 22 -j
> ROUTE --gw 1.1.1.1
> >
> > In the above example, 1.1.1.1 is the gateway IP of
> ppp1.
> >
> > To the other members, can the above be combined in
> one shot? Providing
> > both the interface and the gateway IP?
> >
> > HTH, I haven't tried this myself...
> >
> >>   The firewall have two nic, one (eth0) with an
> address 192.168.0.15 and
> >> the other (eth1) with the public address.
> >>   This is what I've done:
> >>
> >>
>
------------------------------------------------------------------------
> >> ip route flush table NEW
> >> ip route add 192.168.0.0/24 dev eth0 table NEW
> >> ip route add default via XXX.XXX.XXX.XXX table
> NEW dev eth1
> >>
> >> iptables -t nat -A POSTROUTING -o eth1 -j
> MASQUERADE
> >>
> >> ip rule add fwmark 1 table NEW
> >>
> >> ip rule add from XXX.XXX.XXX.XXX table NEW
> >>
> >> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j
> MARK --set-mark 1
> >>
>
------------------------------------------------------------------------
> >>   None of this lines generate errors.
> >>   May be this is not possible, but if it is, how
> could be done?
> >>   Thanks in advance!
> >>
> >> Cheers,
> >>      G.Castro P.
> > --
> >
> > Kenneth Kalmer
> > kenneth.kalmer@gmail.com
> > http://opensourcery.blogspot.com
> >
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Re: Route traffic per protocol - it is possible?

[Kenneth Kalmer]

Apologies Scott, and the list...

I only realise now that I left out a crucial part of the command, what
a silly mistake... goes to show that you have to test before
posting...

Try one of these two:

iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --oif ppp1
- or -
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --gw 1.1.1.1

I added "-p tcp" since SSH runs on SSH to destination port 22...

Test and let me know, I can't test this now since my whole network is
changed around for another project...

On 6/8/05, Scott <gneamob@yahoo.com> wrote:
> It doesn't, at least not with 1.2.11, here is the
> error:
> 
> iptables v1.2.11: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more
> information.
> 
> tested with a 2.6.11 kernel.
> 
> --- Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:
> 
> > Kenneth:
> >
> >   It's almost sure to work... but I don't have one
> > of the latest version
> > of iptables (which includes this feature), so I
> > can't make it that
> > way... :-(
> >   Anyway, I should update my netfilter...
> >   I'll check it!
> >   Thank you, Keneth, and if anybody have any other
> > way to do this, will be
> > appreciated too!
> >
> > Cheers,
> >      G.Castro P.
> >
> > > On 6/7/05, Gustavo Castro Puig
> > <gcastro@gcp.com.uy> wrote:
> > >> Hi, list!
> > >>
> > >>   I've got an issue to resolve and I want to know
> > if it's possible to do
> > >> it with netfilter/iproute2. I've been googling
> > for some time, but I
> > >> couldn't find the way to do this (may be I'm not
> > searching the correct
> > >> way), so any help from you will be *VERY*
> > appreciated.
> > >>   I have a firewall with two links, on direct to
> > Internet and another
> > >> (to
> > >> internet too) through another firewall. All
> > traffic is now going to
> > >> Internet through the other firewall, but I want
> > to know if it's possible
> > >> to send some traffic (not all) through the direct
> > link to Internet. I
> > >> don't want to redirect all traffic coming from
> > some IPs, intead, I want
> > >> to redirect only SSH traffic (for example) from
> > the box through the
> > >> direct link and all other traffic to the other
> > firewall. Something like
> > >> a "per-protocol routing policy". I've been trying
> > with iproute2 and
> > >> iptables, marking packets and routing them with
> > two routing tables, but
> > >> it didn't work.
> > >
> > > I'm not an expert, nor have I done this myself.
> > But from replies by
> > > members of the list and some reading up over the
> > months I'd recommend
> > > using the ROUTE target.
> > >
> > > <man iptables>
> > >    ROUTE
> > >        This is used to explicitly override the
> > core network stack's
> > > routing decision.  mangle table.
> > >
> > >        --oif ifname
> > >               Route the packet through ifname
> > network interface
> > >
> > >        --iif ifname
> > >               Change the packet's incoming
> > interface to ifname
> > >
> > >        --gw IP_address
> > >               Route the packet via this gateway
> > >
> > >        --continue
> > >               Behave like a non-terminating target
> > and continue
> > > traversing the rules.  Not valid in combination
> > with --iif
> > > </man>
> > >
> > > So, let's say ppp0 and ppp1 are your links, and
> > everything defaults to
> > > ppp0. You want ssh to go over ppp1, try one of
> > these:
> > >
> > > iptables -t mangle -A PREROUTING --dport 22 -j
> > ROUTE --oif ppp1
> > > - or -
> > > iptables -t mangle -A PREROUTING --dport 22 -j
> > ROUTE --gw 1.1.1.1
> > >
> > > In the above example, 1.1.1.1 is the gateway IP of
> > ppp1.
> > >
> > > To the other members, can the above be combined in
> > one shot? Providing
> > > both the interface and the gateway IP?
> > >
> > > HTH, I haven't tried this myself...
> > >
> > >>   The firewall have two nic, one (eth0) with an
> > address 192.168.0.15 and
> > >> the other (eth1) with the public address.
> > >>   This is what I've done:
> > >>
> > >>
> >
> ------------------------------------------------------------------------
> > >> ip route flush table NEW
> > >> ip route add 192.168.0.0/24 dev eth0 table NEW
> > >> ip route add default via XXX.XXX.XXX.XXX table
> > NEW dev eth1
> > >>
> > >> iptables -t nat -A POSTROUTING -o eth1 -j
> > MASQUERADE
> > >>
> > >> ip rule add fwmark 1 table NEW
> > >>
> > >> ip rule add from XXX.XXX.XXX.XXX table NEW
> > >>
> > >> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j
> > MARK --set-mark 1
> > >>
> >
> ------------------------------------------------------------------------
> > >>   None of this lines generate errors.
> > >>   May be this is not possible, but if it is, how
> > could be done?
> > >>   Thanks in advance!
> > >>
> > >> Cheers,
> > >>      G.Castro P.
> > > --
> > >
> > > Kenneth Kalmer
> > > kenneth.kalmer@gmail.com
> > > http://opensourcery.blogspot.com
> > >
> >
> >
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> 


-- 

Kenneth Kalmer
kenneth.kalmer@gmail.com
http://opensourcery.blogspot.com

Re: Re: Route traffic per protocol - it is possible?

[Gustavo Castro Puig]

Kenneth:

  I've seen the error before typing it and tested it with the " -p tcp "
option. It didn't work...
  It must be something with the kernel/netfilter version.
  Still looking for a solution less aggressive than an upgrade...

> Apologies Scott, and the list...
>
> I only realise now that I left out a crucial part of the command, what
> a silly mistake... goes to show that you have to test before
> posting...
>
> Try one of these two:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --oif ppp1
> - or -
> iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --gw 1.1.1.1
>
> I added "-p tcp" since SSH runs on SSH to destination port 22...
>
> Test and let me know, I can't test this now since my whole network is
> changed around for another project...
>
> On 6/8/05, Scott <gneamob@yahoo.com> wrote:
>> It doesn't, at least not with 1.2.11, here is the
>> error:
>>
>> iptables v1.2.11: Unknown arg `--dport'
>> Try `iptables -h' or 'iptables --help' for more
>> information.
>>
>> tested with a 2.6.11 kernel.
>>
>> --- Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:
>>
>> > Kenneth:
>> >
>> >   It's almost sure to work... but I don't have one
>> > of the latest version
>> > of iptables (which includes this feature), so I
>> > can't make it that
>> > way... :-(
>> >   Anyway, I should update my netfilter...
>> >   I'll check it!
>> >   Thank you, Keneth, and if anybody have any other
>> > way to do this, will be
>> > appreciated too!
>> >
>> > Cheers,
>> >      G.Castro P.
>> >
>> > > On 6/7/05, Gustavo Castro Puig
>> > <gcastro@gcp.com.uy> wrote:
>> > >> Hi, list!
>> > >>
>> > >>   I've got an issue to resolve and I want to know
>> > if it's possible to do
>> > >> it with netfilter/iproute2. I've been googling
>> > for some time, but I
>> > >> couldn't find the way to do this (may be I'm not
>> > searching the correct
>> > >> way), so any help from you will be *VERY*
>> > appreciated.
>> > >>   I have a firewall with two links, on direct to
>> > Internet and another
>> > >> (to
>> > >> internet too) through another firewall. All
>> > traffic is now going to
>> > >> Internet through the other firewall, but I want
>> > to know if it's possible
>> > >> to send some traffic (not all) through the direct
>> > link to Internet. I
>> > >> don't want to redirect all traffic coming from
>> > some IPs, intead, I want
>> > >> to redirect only SSH traffic (for example) from
>> > the box through the
>> > >> direct link and all other traffic to the other
>> > firewall. Something like
>> > >> a "per-protocol routing policy". I've been trying
>> > with iproute2 and
>> > >> iptables, marking packets and routing them with
>> > two routing tables, but
>> > >> it didn't work.
>> > >
>> > > I'm not an expert, nor have I done this myself.
>> > But from replies by
>> > > members of the list and some reading up over the
>> > months I'd recommend
>> > > using the ROUTE target.
>> > >
>> > > <man iptables>
>> > >    ROUTE
>> > >        This is used to explicitly override the
>> > core network stack's
>> > > routing decision.  mangle table.
>> > >
>> > >        --oif ifname
>> > >               Route the packet through ifname
>> > network interface
>> > >
>> > >        --iif ifname
>> > >               Change the packet's incoming
>> > interface to ifname
>> > >
>> > >        --gw IP_address
>> > >               Route the packet via this gateway
>> > >
>> > >        --continue
>> > >               Behave like a non-terminating target
>> > and continue
>> > > traversing the rules.  Not valid in combination
>> > with --iif
>> > > </man>
>> > >
>> > > So, let's say ppp0 and ppp1 are your links, and
>> > everything defaults to
>> > > ppp0. You want ssh to go over ppp1, try one of
>> > these:
>> > >
>> > > iptables -t mangle -A PREROUTING --dport 22 -j
>> > ROUTE --oif ppp1
>> > > - or -
>> > > iptables -t mangle -A PREROUTING --dport 22 -j
>> > ROUTE --gw 1.1.1.1
>> > >
>> > > In the above example, 1.1.1.1 is the gateway IP of
>> > ppp1.
>> > >
>> > > To the other members, can the above be combined in
>> > one shot? Providing
>> > > both the interface and the gateway IP?
>> > >
>> > > HTH, I haven't tried this myself...
>> > >
>> > >>   The firewall have two nic, one (eth0) with an
>> > address 192.168.0.15 and
>> > >> the other (eth1) with the public address.
>> > >>   This is what I've done:
>> > >>
>> > >>
>> >
>> ------------------------------------------------------------------------
>> > >> ip route flush table NEW
>> > >> ip route add 192.168.0.0/24 dev eth0 table NEW
>> > >> ip route add default via XXX.XXX.XXX.XXX table
>> > NEW dev eth1
>> > >>
>> > >> iptables -t nat -A POSTROUTING -o eth1 -j
>> > MASQUERADE
>> > >>
>> > >> ip rule add fwmark 1 table NEW
>> > >>
>> > >> ip rule add from XXX.XXX.XXX.XXX table NEW
>> > >>
>> > >> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j
>> > MARK --set-mark 1
>> > >>
>> >
>> ------------------------------------------------------------------------
>> > >>   None of this lines generate errors.
>> > >>   May be this is not possible, but if it is, how
>> > could be done?
>> > >>   Thanks in advance!
>> > >>
>> > >> Cheers,
>> > >>      G.Castro P.
>> > > --
>> > >
>> > > Kenneth Kalmer
>> > > kenneth.kalmer@gmail.com
>> > > http://opensourcery.blogspot.com
>> > >
>> >
>> >
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>
>>
>
>
> --
>
> Kenneth Kalmer
> kenneth.kalmer@gmail.com
> http://opensourcery.blogspot.com
>


Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastro@gcp.com.uy
     G.C.P. Software - Informática Inteligente.
     Web: http://www.gcp.com.uy

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342

Re: Re: Route traffic per protocol - it is possible?

[Gustavo Castro Puig]

Scott:

  That wasn't the error. I've seen the error before typing and I tested it
the correct way. It's something related to de kernel/netfilter version.
  Anyway, I'm still trying to find a solution...

> It doesn't, at least not with 1.2.11, here is the
> error:
>
> iptables v1.2.11: Unknown arg `--dport'
> Try `iptables -h' or 'iptables --help' for more
> information.
>
> tested with a 2.6.11 kernel.
>
> --- Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:
>
>> Kenneth:
>>
>>   It's almost sure to work... but I don't have one
>> of the latest version
>> of iptables (which includes this feature), so I
>> can't make it that
>> way... :-(
>>   Anyway, I should update my netfilter...
>>   I'll check it!
>>   Thank you, Keneth, and if anybody have any other
>> way to do this, will be
>> appreciated too!
>>
>> Cheers,
>>      G.Castro P.
>>
>> > On 6/7/05, Gustavo Castro Puig
>> <gcastro@gcp.com.uy> wrote:
>> >> Hi, list!
>> >>
>> >>   I've got an issue to resolve and I want to know
>> if it's possible to do
>> >> it with netfilter/iproute2. I've been googling
>> for some time, but I
>> >> couldn't find the way to do this (may be I'm not
>> searching the correct
>> >> way), so any help from you will be *VERY*
>> appreciated.
>> >>   I have a firewall with two links, on direct to
>> Internet and another
>> >> (to
>> >> internet too) through another firewall. All
>> traffic is now going to
>> >> Internet through the other firewall, but I want
>> to know if it's possible
>> >> to send some traffic (not all) through the direct
>> link to Internet. I
>> >> don't want to redirect all traffic coming from
>> some IPs, intead, I want
>> >> to redirect only SSH traffic (for example) from
>> the box through the
>> >> direct link and all other traffic to the other
>> firewall. Something like
>> >> a "per-protocol routing policy". I've been trying
>> with iproute2 and
>> >> iptables, marking packets and routing them with
>> two routing tables, but
>> >> it didn't work.
>> >
>> > I'm not an expert, nor have I done this myself.
>> But from replies by
>> > members of the list and some reading up over the
>> months I'd recommend
>> > using the ROUTE target.
>> >
>> > <man iptables>
>> >    ROUTE
>> >        This is used to explicitly override the
>> core network stack's
>> > routing decision.  mangle table.
>> >
>> >        --oif ifname
>> >               Route the packet through ifname
>> network interface
>> >
>> >        --iif ifname
>> >               Change the packet's incoming
>> interface to ifname
>> >
>> >        --gw IP_address
>> >               Route the packet via this gateway
>> >
>> >        --continue
>> >               Behave like a non-terminating target
>> and continue
>> > traversing the rules.  Not valid in combination
>> with --iif
>> > </man>
>> >
>> > So, let's say ppp0 and ppp1 are your links, and
>> everything defaults to
>> > ppp0. You want ssh to go over ppp1, try one of
>> these:
>> >
>> > iptables -t mangle -A PREROUTING --dport 22 -j
>> ROUTE --oif ppp1
>> > - or -
>> > iptables -t mangle -A PREROUTING --dport 22 -j
>> ROUTE --gw 1.1.1.1
>> >
>> > In the above example, 1.1.1.1 is the gateway IP of
>> ppp1.
>> >
>> > To the other members, can the above be combined in
>> one shot? Providing
>> > both the interface and the gateway IP?
>> >
>> > HTH, I haven't tried this myself...
>> >
>> >>   The firewall have two nic, one (eth0) with an
>> address 192.168.0.15 and
>> >> the other (eth1) with the public address.
>> >>   This is what I've done:
>> >>
>> >>
>>
> ------------------------------------------------------------------------
>> >> ip route flush table NEW
>> >> ip route add 192.168.0.0/24 dev eth0 table NEW
>> >> ip route add default via XXX.XXX.XXX.XXX table
>> NEW dev eth1
>> >>
>> >> iptables -t nat -A POSTROUTING -o eth1 -j
>> MASQUERADE
>> >>
>> >> ip rule add fwmark 1 table NEW
>> >>
>> >> ip rule add from XXX.XXX.XXX.XXX table NEW
>> >>
>> >> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j
>> MARK --set-mark 1
>> >>
>>
> ------------------------------------------------------------------------
>> >>   None of this lines generate errors.
>> >>   May be this is not possible, but if it is, how
>> could be done?
>> >>   Thanks in advance!
>> >>
>> >> Cheers,
>> >>      G.Castro P.
>> > --
>> >
>> > Kenneth Kalmer
>> > kenneth.kalmer@gmail.com
>> > http://opensourcery.blogspot.com
>> >
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>


Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastro@gcp.com.uy
     G.C.P. Software - Informática Inteligente.
     Web: http://www.gcp.com.uy

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342

Re: Re: Route traffic per protocol - it is possible?

[Scott]

Hi, I tried with the -p tcp and then with -p tcp -m
tcp options and to no avail, but with a new error:

iptables: No chain/target/match by that name

I have gone through every bit of the command:

iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
22 -j ROUTE --gw 1.2.3.4

..to no avail!!  even if I change PREROUTING to INPUT,
OUTPUT, FORWARD or POSTROUTING it's the same error..
surely someone must know why, I'm out of answers...

--- Gustavo Castro Puig <gcastro@gcp.com.uy> wrote:

> Scott:
> 
>   That wasn't the error. I've seen the error before
> typing and I tested it
> the correct way. It's something related to de
> kernel/netfilter version.
>   Anyway, I'm still trying to find a solution...
> 
> > It doesn't, at least not with 1.2.11, here is the
> > error:
> >
> > iptables v1.2.11: Unknown arg `--dport'
> > Try `iptables -h' or 'iptables --help' for more
> > information.
> >
> > tested with a 2.6.11 kernel.
> >
> > --- Gustavo Castro Puig <gcastro@gcp.com.uy>
> wrote:
> >
> >> Kenneth:
> >>
> >>   It's almost sure to work... but I don't have
> one
> >> of the latest version
> >> of iptables (which includes this feature), so I
> >> can't make it that
> >> way... :-(
> >>   Anyway, I should update my netfilter...
> >>   I'll check it!
> >>   Thank you, Keneth, and if anybody have any
> other
> >> way to do this, will be
> >> appreciated too!
> >>
> >> Cheers,
> >>      G.Castro P.
> >>
[snip]

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Re: Route traffic per protocol - it is possible?

[Jason Opperisano]

On Tue, Jun 14, 2005 at 11:28:58AM -0700, Scott wrote:
> Hi, I tried with the -p tcp and then with -p tcp -m
> tcp options and to no avail, but with a new error:
> 
> iptables: No chain/target/match by that name
> 
> I have gone through every bit of the command:
> 
> iptables -t mangle -A PREROUTING -p tcp -m tcp --dport
> 22 -j ROUTE --gw 1.2.3.4
> 
> ..to no avail!!  even if I change PREROUTING to INPUT,
> OUTPUT, FORWARD or POSTROUTING it's the same error..
> surely someone must know why, I'm out of answers...

you don't have support for the ROUTE target in your kernel.  if you have
a modular kernel:

  ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_ROUTE*

if you do not have a modular kernel:

  grep ROUTE /proc/net/ip_tables_targets

if neither command produces positive output, patch and recompile your
kernel with support for the ROUTE target.

-j

--
"Peter: We could always go to purgatory like we did last year.
 Lois: This isn't bad. It's not good, but it's not bad.
 Brian: So so.
 Peter: More or less."
        --Family Guy