Hi, On Wed, Nov 11, 2009 at 10:56, ESGLinux <esggrupos@xxxxxxxxx> wrote: > What I want to do is to use one of the lines (eth2) only to web traffic and > all the other kind of traffic to the other line (eth1) > > Using the route command I can´t make this routing, perhaps I can do it using > iptables, but I don´t know if is it possible, Your statement of intent is a little unclear--do you mean that: (A) You are running a local web server on your RH machine, and you want incoming HTTP clients to only arrive via eth2? or (B) You use your RH machine an an HTTP client to browse other remote web servers, and you want your HTTP client requests to depart via eth2? [Situation A] If the situation is (A), IPTables doesn't get involved at all. You need to implement source-based policy routing, so that you force your outbound HTTP response traffic to use the same interface on which its associated originating request arrives from the client. There's a great HOWTO here (http://lartc.org/howto/lartc.rpdb.multiple-links.html). You only need to worry about section 4.2.1 of that document. Also, you'll want to add a default route to the default routing table that uses eth1's upstream next-hop, so that any traffic you originate leaves via eth1, like this: `ip route add default via <ETH1_GW_IPADDRESS>` Then, tell external clients to use the eth2 IP address to reach your web server, which should be listening on that IP. All of the incoming HTTP requests will arrive via eth2, and your new source-based routing policy will ensure that the responses go back out via eth2. You'll use eth1's upstream next-hop as your default gateway, so that any traffic you originate leaves via eth1. [Situation B] If the situation is (B), IPTables does play a role, but the 'ip' utility still does most of the work. First, you'll create an IPTables rule that 'marks' your outbound HTTP packets with a special flag, BEFORE the kernel gets to make any routing decisions about how to send them out. To mark traffic originating on your RH machine, use a rule like this: `iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK --set-mark 0x11` If you want HTTPS traffic to be handled the same way, add an extra rule (or rules) with the parameter '--dport 443' instead of '--dport 80'. Then, you'll set up your routing tables and policy to forward these "marked" packets out via eth2, while all the rest of your traffic uses eth1. The source-based routing policy link, above, is helpful, here. I think the commands would be something like this: `ip route add default via <ETH2_GW_IPADDRESS> table 11` `ip route add default via <ETH1_GW_IPADDRESS>` `ip rule add fwmark 0x11 table 11` If your server is acting as a router for other hosts, too, you'll need a more complex set of IPTables rules, but your routing policy and tables (the 'ip route...' and 'ip rule...' commands) should be the same. This stuff looks intimidating the first few times you tackle it, but it's pretty straightforward once you get to know the concepts. The LARTC docs are very helpful. Good luck. -Ryan -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
