2009/11/11 Ryan Lynch <ryan.b.lynch@xxxxxxxxx> > Hi, > > On Wed, Nov 11, 2009 at 10:56, ESGLinux <esggrupos@xxxxxxxxx> wrote: > > What I want to do is to use one of the lines (eth2) only to web traffic > and > > all the other kind of traffic to the other line (eth1) > > > > Using the route command I can´t make this routing, perhaps I can do it > using > > iptables, but I don´t know if is it possible, > > > Your statement of intent is a little unclear--do you mean that: > ;-) Sorry, sometimes I think I´m clear but really I´m not. > > (A) You are running a local web server on your RH machine, and you > want incoming HTTP clients to only arrive via eth2? > or > (B) You use your RH machine an an HTTP client to browse other remote > web servers, and you want your HTTP client requests to depart via > eth2? > > The scenario is B. I skip to it > > [Situation A] > > If the situation is (A), IPTables doesn't get involved at all. You > need to implement source-based policy routing, so that you force your > outbound HTTP response traffic to use the same interface on which its > associated originating request arrives from the client. There's a > great HOWTO here > (http://lartc.org/howto/lartc.rpdb.multiple-links.html). You only need > to worry about section 4.2.1 of that document. Also, you'll want to > add a default route to the default routing table that uses eth1's > upstream next-hop, so that any traffic you originate leaves via eth1, > like this: > > `ip route add default via <ETH1_GW_IPADDRESS>` > > Then, tell external clients to use the eth2 IP address to reach your > web server, which should be listening on that IP. All of the incoming > HTTP requests will arrive via eth2, and your new source-based routing > policy will ensure that the responses go back out via eth2. You'll use > eth1's upstream next-hop as your default gateway, so that any traffic > you originate leaves via eth1. > > > [Situation B] > > > If the situation is (B), IPTables does play a role, but the 'ip' > utility still does most of the work. First, you'll create an IPTables > rule that 'marks' your outbound HTTP packets with a special flag, > BEFORE the kernel gets to make any routing decisions about how to send > them out. To mark traffic originating on your RH machine, use a rule > like this: > > `iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j MARK > --set-mark 0x11` > > If you want HTTPS traffic to be handled the same way, add an extra > rule (or rules) with the parameter '--dport 443' instead of '--dport > 80'. > > Then, you'll set up your routing tables and policy to forward these > "marked" packets out via eth2, while all the rest of your traffic uses > eth1. The source-based routing policy link, above, is helpful, here. I > think the commands would be something like this: > > `ip route add default via <ETH2_GW_IPADDRESS> table 11` > `ip route add default via <ETH1_GW_IPADDRESS>` > `ip rule add fwmark 0x11 table 11` > > If your server is acting as a router for other hosts, too, you'll need > a more complex set of IPTables rules, but your routing policy and > tables (the 'ip route...' and 'ip rule...' commands) should be the > same. > > yes, my server is a the router of the LAN. > > This stuff looks intimidating the first few times you tackle it, but > it's pretty straightforward once you get to know the concepts. YES, VERY INTIMIDATING !!!!! > The LARTC docs are very helpful. Good luck. > here is exactly what I have run in my server and worked: iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp --dport 80 -j ACCEPT echo "203 web" >> /etc/iproute2/rt_tables ip rule add fwmark 2 table web ip route add default via 192.168.3.1 table web Now the web traffic goes through the interface attached to the gw 192.168.3.1 > > -Ryan > > thank you Ryan for your answer. > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list
