Kenneth:
It's almost sure to work... but I don't have one of the latest version
of iptables (which includes this feature), so I can't make it that
way... :-(
Anyway, I should update my netfilter...
I'll check it!
Thank you, Keneth, and if anybody have any other way to do this, will be
appreciated too!
Cheers,
G.Castro P.
> On 6/7/05, Gustavo Castro Puig <gcastro@xxxxxxxxxx> wrote:
>> Hi, list!
>>
>> I've got an issue to resolve and I want to know if it's possible to do
>> it with netfilter/iproute2. I've been googling for some time, but I
>> couldn't find the way to do this (may be I'm not searching the correct
>> way), so any help from you will be *VERY* appreciated.
>> I have a firewall with two links, on direct to Internet and another
>> (to
>> internet too) through another firewall. All traffic is now going to
>> Internet through the other firewall, but I want to know if it's possible
>> to send some traffic (not all) through the direct link to Internet. I
>> don't want to redirect all traffic coming from some IPs, intead, I want
>> to redirect only SSH traffic (for example) from the box through the
>> direct link and all other traffic to the other firewall. Something like
>> a "per-protocol routing policy". I've been trying with iproute2 and
>> iptables, marking packets and routing them with two routing tables, but
>> it didn't work.
>
> I'm not an expert, nor have I done this myself. But from replies by
> members of the list and some reading up over the months I'd recommend
> using the ROUTE target.
>
> <man iptables>
> ROUTE
> This is used to explicitly override the core network stack's
> routing decision. mangle table.
>
> --oif ifname
> Route the packet through ifname network interface
>
> --iif ifname
> Change the packet's incoming interface to ifname
>
> --gw IP_address
> Route the packet via this gateway
>
> --continue
> Behave like a non-terminating target and continue
> traversing the rules. Not valid in combination with --iif
> </man>
>
> So, let's say ppp0 and ppp1 are your links, and everything defaults to
> ppp0. You want ssh to go over ppp1, try one of these:
>
> iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --oif ppp1
> - or -
> iptables -t mangle -A PREROUTING --dport 22 -j ROUTE --gw 1.1.1.1
>
> In the above example, 1.1.1.1 is the gateway IP of ppp1.
>
> To the other members, can the above be combined in one shot? Providing
> both the interface and the gateway IP?
>
> HTH, I haven't tried this myself...
>
>> The firewall have two nic, one (eth0) with an address 192.168.0.15 and
>> the other (eth1) with the public address.
>> This is what I've done:
>>
>> ------------------------------------------------------------------------
>> ip route flush table NEW
>> ip route add 192.168.0.0/24 dev eth0 table NEW
>> ip route add default via XXX.XXX.XXX.XXX table NEW dev eth1
>>
>> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>>
>> ip rule add fwmark 1 table NEW
>>
>> ip rule add from XXX.XXX.XXX.XXX table NEW
>>
>> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
>> ------------------------------------------------------------------------
>> None of this lines generate errors.
>> May be this is not possible, but if it is, how could be done?
>> Thanks in advance!
>>
>> Cheers,
>> G.Castro P.
> --
>
> Kenneth Kalmer
> kenneth.kalmer@xxxxxxxxx
> http://opensourcery.blogspot.com
>
