one routing question

Wed Nov 11 17:36:43 UTC 2009

Hi,

On Wed, Nov 11, 2009 at 10:56, ESGLinux <esggrupos at gmail.com> wrote:
> What I want to do is to use one of the lines (eth2) only to web traffic and
> all the other kind of traffic  to the other line (eth1)
>
> Using the route command I can´t make this routing, perhaps I can do it using
> iptables, but I don´t know if is it possible,

Your statement of intent is a little unclear--do you mean that:

 (A) You are running a local web server on your RH machine, and you
want incoming HTTP clients to only arrive via eth2?
or
 (B) You use your RH machine an an HTTP client to browse other remote
web servers, and you want your HTTP client requests to depart via
eth2?

[Situation A]

If the situation is (A), IPTables doesn't get involved at all. You
need to implement source-based policy routing, so that you force your
outbound HTTP response traffic to use the same interface on which its
associated originating request arrives from the client. There's a
great HOWTO here
(http://lartc.org/howto/lartc.rpdb.multiple-links.html). You only need
to worry about section 4.2.1 of that document. Also, you'll want to
add a default route to the default routing table that uses eth1's
upstream next-hop, so that any traffic you originate leaves via eth1,
like this:

    `ip route add default via <ETH1_GW_IPADDRESS>`

Then, tell external clients to use the eth2 IP address to reach your
web server, which should be listening on that IP. All of the incoming
HTTP requests will arrive via eth2, and your new source-based routing
policy will ensure that the responses go back out via eth2. You'll use
eth1's upstream next-hop as your default gateway, so that any traffic
you originate leaves via eth1.

[Situation B]

If the situation is (B), IPTables does play a role, but the 'ip'
utility still does most of the work. First, you'll create an IPTables
rule that 'marks' your outbound HTTP packets with a special flag,
BEFORE the kernel gets to make any routing decisions about how to send
them out. To mark traffic originating on your RH machine, use a rule
like this:

    `iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK
--set-mark 0x11`

If you want HTTPS traffic to be handled the same way, add an extra
rule (or rules) with the parameter '--dport 443' instead of '--dport
80'.

Then, you'll set up your routing tables and policy to forward these
"marked" packets out via eth2, while all the rest of your traffic uses
eth1. The source-based routing policy link, above, is helpful, here. I
think the commands would be something like this:

    `ip route add default via <ETH2_GW_IPADDRESS> table 11`
    `ip route add default via <ETH1_GW_IPADDRESS>`
    `ip rule add fwmark 0x11 table 11`

If your server is acting as a router for other hosts, too, you'll need
a more complex set of IPTables rules, but your routing policy and
tables (the 'ip route...' and 'ip rule...' commands) should be the
same.

This stuff looks intimidating the first few times you tackle it, but
it's pretty straightforward once you get to know the concepts. The
LARTC docs are very helpful. Good luck.

-Ryan