Apologies Scott, and the list... I only realise now that I left out a crucial part of the command, what a silly mistake... goes to show that you have to test before posting... Try one of these two: iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --oif ppp1 - or - iptables -t mangle -A PREROUTING -p tcp --dport 22 -j ROUTE --gw 1.1.1.1 I added "-p tcp" since SSH runs on SSH to destination port 22... Test and let me know, I can't test this now since my whole network is changed around for another project... On 6/8/05, Scott <gneamob@xxxxxxxxx> wrote: > It doesn't, at least not with 1.2.11, here is the > error: > > iptables v1.2.11: Unknown arg `--dport' > Try `iptables -h' or 'iptables --help' for more > information. > > tested with a 2.6.11 kernel. > > --- Gustavo Castro Puig <gcastro@xxxxxxxxxx> wrote: > > > Kenneth: > > > > It's almost sure to work... but I don't have one > > of the latest version > > of iptables (which includes this feature), so I > > can't make it that > > way... :-( > > Anyway, I should update my netfilter... > > I'll check it! > > Thank you, Keneth, and if anybody have any other > > way to do this, will be > > appreciated too! > > > > Cheers, > > G.Castro P. > > > > > On 6/7/05, Gustavo Castro Puig > > <gcastro@xxxxxxxxxx> wrote: > > >> Hi, list! > > >> > > >> I've got an issue to resolve and I want to know > > if it's possible to do > > >> it with netfilter/iproute2. I've been googling > > for some time, but I > > >> couldn't find the way to do this (may be I'm not > > searching the correct > > >> way), so any help from you will be *VERY* > > appreciated. > > >> I have a firewall with two links, on direct to > > Internet and another > > >> (to > > >> internet too) through another firewall. All > > traffic is now going to > > >> Internet through the other firewall, but I want > > to know if it's possible > > >> to send some traffic (not all) through the direct > > link to Internet. I > > >> don't want to redirect all traffic coming from > > some IPs, intead, I want > > >> to redirect only SSH traffic (for example) from > > the box through the > > >> direct link and all other traffic to the other > > firewall. Something like > > >> a "per-protocol routing policy". I've been trying > > with iproute2 and > > >> iptables, marking packets and routing them with > > two routing tables, but > > >> it didn't work. > > > > > > I'm not an expert, nor have I done this myself. > > But from replies by > > > members of the list and some reading up over the > > months I'd recommend > > > using the ROUTE target. > > > > > > <man iptables> > > > ROUTE > > > This is used to explicitly override the > > core network stack's > > > routing decision. mangle table. > > > > > > --oif ifname > > > Route the packet through ifname > > network interface > > > > > > --iif ifname > > > Change the packet's incoming > > interface to ifname > > > > > > --gw IP_address > > > Route the packet via this gateway > > > > > > --continue > > > Behave like a non-terminating target > > and continue > > > traversing the rules. Not valid in combination > > with --iif > > > </man> > > > > > > So, let's say ppp0 and ppp1 are your links, and > > everything defaults to > > > ppp0. You want ssh to go over ppp1, try one of > > these: > > > > > > iptables -t mangle -A PREROUTING --dport 22 -j > > ROUTE --oif ppp1 > > > - or - > > > iptables -t mangle -A PREROUTING --dport 22 -j > > ROUTE --gw 1.1.1.1 > > > > > > In the above example, 1.1.1.1 is the gateway IP of > > ppp1. > > > > > > To the other members, can the above be combined in > > one shot? Providing > > > both the interface and the gateway IP? > > > > > > HTH, I haven't tried this myself... > > > > > >> The firewall have two nic, one (eth0) with an > > address 192.168.0.15 and > > >> the other (eth1) with the public address. > > >> This is what I've done: > > >> > > >> > > > ------------------------------------------------------------------------ > > >> ip route flush table NEW > > >> ip route add 192.168.0.0/24 dev eth0 table NEW > > >> ip route add default via XXX.XXX.XXX.XXX table > > NEW dev eth1 > > >> > > >> iptables -t nat -A POSTROUTING -o eth1 -j > > MASQUERADE > > >> > > >> ip rule add fwmark 1 table NEW > > >> > > >> ip rule add from XXX.XXX.XXX.XXX table NEW > > >> > > >> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j > > MARK --set-mark 1 > > >> > > > ------------------------------------------------------------------------ > > >> None of this lines generate errors. > > >> May be this is not possible, but if it is, how > > could be done? > > >> Thanks in advance! > > >> > > >> Cheers, > > >> G.Castro P. > > > -- > > > > > > Kenneth Kalmer > > > kenneth.kalmer@xxxxxxxxx > > > http://opensourcery.blogspot.com > > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- Kenneth Kalmer kenneth.kalmer@xxxxxxxxx http://opensourcery.blogspot.com
