Re: routing_based_on_port/services

From: Artur Szczotka (artis_at_ae.katowice.pl)
Date: 10/05/05

  • Next message: Sven-┼ke Larsson: "RE: routing_based_on_port/services"
    Date: Wed, 5 Oct 2005 19:18:44 +0200 (CEST)
    To: kucserak@post.sk
    
    

    Hi.

    A long time ago I was forced to solve very similar problem based on Linux
    2.4.x kernel.

    First of all the thing you're trying to do is called "Policy Routing". In
    Linux (2.4.x) you have a lot of options you may use to accomplish your
    task. I suggest using Linux kernel 2.4.x, compiled to support Advanced
    Routing feature. You may need to upgrade your iptables and iproute2
    package as well. Generally you'll need proper kernel, iproute2 and
    iptables package.

    Step 1. You mark a traffic you are interested in. e,g dst ports 25,80 ...
     iptables is your friend at this stage.
    Step 2. You create an additional routing table to use with certain uplink
    eg. You have 2 links to providers lets say eth0, eth1.
    It is nice to name an additional table you will use:
    echo 200 table02 >> /etc/iproute2/rt_tables

    Then you need to add a default gw to table table02:
    ip route add default via x.x.x.x dev eth1 table table02
    next you should do:
    ip rule add fwmark xx table table02.
    So packets having proper fwmark will be directed to table02 instead of
    table main, and then will be routed according to rules entered to
    table02.

    In linux you have 3 predefined routing tables:
    local, main, default. Command ip route ls table_name shows you each one.

    It's important do add all local routes to table local:
    E.G If you have on your local iface (eth2) many IP classess, 10.10.10.1,
    10.10.10.2 you have two options. You have to add them to every additional
    routing table in your system or you may add these classes only once to
    local routing table. This is important because otherwise computers
    from different local subnets will have no chance to see each other.

    IMPORTANT NOTE:
    When using fw mark in the ip rule add command, you have to turn off
    rp_filter protection.
    echo 0 > /proc/net/ipv4/conf/eth1/rp_filter

    If you don't It won't be working and you'll be unable to diagnose the
    source of problem. What's interesting when you use the form:
    ip rule add from ip_class table table_name everything will be working
    fine. More info about this problem you can find at:
    http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Adv-Routing-HOWTO.html
    section 10.1. Caveats.

    So enjoy, tcpdump is helpfull for debugging purposes.

    "Unix jest prosty i logiczny, ale dostrzec i zobaczyŠ
    jego prostotŕ mo┐e tylko geniusz (a przynajmniej programista)"
                                        - Dennis M. Ritchie

                                                        artis@linux.bielsko.pl
                                                    reg. Linux User no 207289

    On Mon, 3 Oct 2005 kucserak@post.sk wrote:

    > Dear List!
    >
    > I just want to ask you a question.I have a linux(Secure platform) gateway server with 2 external ip address to the internet (one S/0 ADSl, second S/1 Point to Point) and one internal ip eth0 for my LAN. I need to split up the outgoing traffic.HTTP/HTTPS want to route through the ADSL and the rest of traffic (SMTP,POP3,FTP) through the Point to Point.Can i solve this with Linux iptables or whatever else. Any suggestion help..
    >
    > regards,
    >
    > Chris
    >


  • Next message: Sven-┼ke Larsson: "RE: routing_based_on_port/services"