On 1/14/2013 9:12 PM, Sebastian Poehn wrote:
I've drawn a new picture. We want to connect from Node 1 to the 'internet'. All traffic via wan1 shall be proxied, traffic over lan1 not.
The only valid match for this situation is the outgoing interface ( oif == wan1 do proxy, else no proxy). It is not possible to match for
dst networks, as routing metrics may change and so even the use of wan1 or wan2 (for the uplink).
I can not -A POSTROUTING -o wan1 -j TPROXY as TPROXY must be called in PREROUTING (there -o is not present).
internet
____________________________________
A A
|wan1 |wan2
| |
######### ######### #########
#ROUTER1# lan1 #ROUTER2# lan3 #ROUTER3#
# + #<----># #<----># #
#TPROXY # igp # # igp # #
######### ######### #########
|
| lan2
|
#########
# NODE 1#
# #
# #
#########
Hey there,
Thanks for the new picture.
I understand what is your problem since it's a very common concept.
But you must understand that most of TPROXY systems are very static.
Take a deep breath and accept(like a server\socket) that the connections
can be intercepted only in a prerouting table.
what I do suggest you is to use a synamic ipset to allow you this
specific thing you need.
Since you can only use ip addresses as a match in the prerouting or an
incoming interface.
Your problem is that you are using IGP which limits you to a specific
protocol which I think BIRD or QUAGGA doesn't work with.
What you can do if it was another protocol is to run a cron task every
once in a while to make sure the routing tables are still the same or
not and in a case of change to update an ipset that you will use to
either bypass or intercept the traffic into.
If you are working with ROUTING protocols it should be simple to know
what traffic is being routed to WAN1.
Best regards,
Eliezer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
