Re: routing_based_on_port/services
From: Artur Szczotka (artis_at_ae.katowice.pl)
Date: 10/05/05
- Previous message: Vladimir Mitiouchev: "Re: routing_based_on_port/services"
- In reply to: kucserak_at_post.sk: "routing_based_on_port/services"
- Next in thread: Sven-Åke Larsson: "RE: routing_based_on_port/services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 5 Oct 2005 19:18:44 +0200 (CEST) To: kucserak@post.sk
Hi.
A long time ago I was forced to solve very similar problem based on Linux
2.4.x kernel.
First of all the thing you're trying to do is called "Policy Routing". In
Linux (2.4.x) you have a lot of options you may use to accomplish your
task. I suggest using Linux kernel 2.4.x, compiled to support Advanced
Routing feature. You may need to upgrade your iptables and iproute2
package as well. Generally you'll need proper kernel, iproute2 and
iptables package.
Step 1. You mark a traffic you are interested in. e,g dst ports 25,80 ...
iptables is your friend at this stage.
Step 2. You create an additional routing table to use with certain uplink
eg. You have 2 links to providers lets say eth0, eth1.
It is nice to name an additional table you will use:
echo 200 table02 >> /etc/iproute2/rt_tables
Then you need to add a default gw to table table02:
ip route add default via x.x.x.x dev eth1 table table02
next you should do:
ip rule add fwmark xx table table02.
So packets having proper fwmark will be directed to table02 instead of
table main, and then will be routed according to rules entered to
table02.
In linux you have 3 predefined routing tables:
local, main, default. Command ip route ls table_name shows you each one.
It's important do add all local routes to table local:
E.G If you have on your local iface (eth2) many IP classess, 10.10.10.1,
10.10.10.2 you have two options. You have to add them to every additional
routing table in your system or you may add these classes only once to
local routing table. This is important because otherwise computers
from different local subnets will have no chance to see each other.
IMPORTANT NOTE:
When using fw mark in the ip rule add command, you have to turn off
rp_filter protection.
echo 0 > /proc/net/ipv4/conf/eth1/rp_filter
If you don't It won't be working and you'll be unable to diagnose the
source of problem. What's interesting when you use the form:
ip rule add from ip_class table table_name everything will be working
fine. More info about this problem you can find at:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Adv-Routing-HOWTO.html
section 10.1. Caveats.
So enjoy, tcpdump is helpfull for debugging purposes.
"Unix jest prosty i logiczny, ale dostrzec i zobaczyæ
jego prostotê mo¿e tylko geniusz (a przynajmniej programista)"
- Dennis M. Ritchie
artis@linux.bielsko.pl
reg. Linux User no 207289
On Mon, 3 Oct 2005 kucserak@post.sk wrote:
> Dear List!
>
> I just want to ask you a question.I have a linux(Secure platform) gateway server with 2 external ip address to the internet (one S/0 ADSl, second S/1 Point to Point) and one internal ip eth0 for my LAN. I need to split up the outgoing traffic.HTTP/HTTPS want to route through the ADSL and the rest of traffic (SMTP,POP3,FTP) through the Point to Point.Can i solve this with Linux iptables or whatever else. Any suggestion help..
>
> regards,
>
> Chris
>
- Previous message: Vladimir Mitiouchev: "Re: routing_based_on_port/services"
- In reply to: kucserak_at_post.sk: "routing_based_on_port/services"
- Next in thread: Sven-Åke Larsson: "RE: routing_based_on_port/services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
