one routing question

ESGLinux esggrupos at gmail.com
Wed Nov 11 17:53:17 UTC 2009 

2009/11/11 Ryan Lynch <ryan.b.lynch at gmail.com>

> Hi,
>
> On Wed, Nov 11, 2009 at 10:56, ESGLinux <esggrupos at gmail.com> wrote:
> > What I want to do is to use one of the lines (eth2) only to web traffic
> and
> > all the other kind of traffic  to the other line (eth1)
> >
> > Using the route command I can´t make this routing, perhaps I can do it
> using
> > iptables, but I don´t know if is it possible,
>
>
> Your statement of intent is a little unclear--do you mean that:
>

;-) Sorry, sometimes I think I´m clear but really I´m not.


>
>  (A) You are running a local web server on your RH machine, and you
> want incoming HTTP clients to only arrive via eth2?
> or
>  (B) You use your RH machine an an HTTP client to browse other remote
> web servers, and you want your HTTP client requests to depart via
> eth2?
>
>
The scenario is B. I skip to it



>
> [Situation A]
>
> If the situation is (A), IPTables doesn't get involved at all. You
> need to implement source-based policy routing, so that you force your
> outbound HTTP response traffic to use the same interface on which its
> associated originating request arrives from the client. There's a
> great HOWTO here
> (http://lartc.org/howto/lartc.rpdb.multiple-links.html). You only need
> to worry about section 4.2.1 of that document. Also, you'll want to
> add a default route to the default routing table that uses eth1's
> upstream next-hop, so that any traffic you originate leaves via eth1,
> like this:
>
>    `ip route add default via <ETH1_GW_IPADDRESS>`
>
> Then, tell external clients to use the eth2 IP address to reach your
> web server, which should be listening on that IP. All of the incoming
> HTTP requests will arrive via eth2, and your new source-based routing
> policy will ensure that the responses go back out via eth2. You'll use
> eth1's upstream next-hop as your default gateway, so that any traffic
> you originate leaves via eth1.
>
>
> [Situation B]
>
>


> If the situation is (B), IPTables does play a role, but the 'ip'
> utility still does most of the work. First, you'll create an IPTables
> rule that 'marks' your outbound HTTP packets with a special flag,
> BEFORE the kernel gets to make any routing decisions about how to send
> them out. To mark traffic originating on your RH machine, use a rule
> like this:
>
>    `iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK
> --set-mark 0x11`
>
> If you want HTTPS traffic to be handled the same way, add an extra
> rule (or rules) with the parameter '--dport 443' instead of '--dport
> 80'.
>
> Then, you'll set up your routing tables and policy to forward these
> "marked" packets out via eth2, while all the rest of your traffic uses
> eth1. The source-based routing policy link, above, is helpful, here. I
> think the commands would be something like this:
>
>    `ip route add default via <ETH2_GW_IPADDRESS> table 11`
>    `ip route add default via <ETH1_GW_IPADDRESS>`
>    `ip rule add fwmark 0x11 table 11`
>
> If your server is acting as a router for other hosts, too, you'll need
> a more complex set of IPTables rules, but your routing policy and
> tables (the 'ip route...' and 'ip rule...' commands) should be the
> same.
>
> yes, my server is a the router of the LAN.



>
> This stuff looks intimidating the first few times you tackle it, but
> it's pretty straightforward once you get to know the concepts.


YES, VERY INTIMIDATING !!!!!


> The LARTC docs are very helpful. Good luck.
>



here is exactly what I have run in my server and worked:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT

iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT

 echo "203   web" >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table web
ip route add default via 192.168.3.1 table web


Now the web traffic goes through the interface attached to the gw
192.168.3.1




>
> -Ryan
>
>

thank you Ryan for your answer.


> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list