LARTC - Aug 2007 - two providers.

Hello, people.

I read iptables tutorial and lartc, but i''m still confused with one
trouble.

May be this question was discussed already, so forward me solution, if
is.

So, there''s a trouble.

I have debian etch linux. 2.6.18-4 kernel.

On this computer i have three interfaces: eth0 - my lan, eth1, eth2 -
providers.

By default all internet traffic routed through eth2. But i NEED to
route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do that?

Regards, Vitaliy Tskhovrebov.

> So, there''s a trouble.
> 
> I have debian etch linux. 2.6.18-4 kernel.
> 
> On this computer i have three interfaces: eth0 - my lan, eth1, eth2 -
> providers.
> 
> By default all internet traffic routed through eth2. But i NEED to
> route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do
> that?
A while ago ive used a similar configuration, what ive done was:

- create additionall routing table

add all regular entries to it with changed default gateway for the second
provider like:

ip route add xxx.xxx.xxx.xxx via yyy.yyy.yyy.yyy table 2
...
ip route add default via IP_OF_2ND_GATEWAY table 2

- mark desired traffic with iptables

iptables -I FORWARD -s LAN_NET/MASK -p tcp --dport XXX -j MARK --set-mark 2

- use ip rules to direct marked packets via alternative routing table

ip rule add fwmark 2 table 2

- and maby add additionall rule to make all packages originating at eth1 ip to
go via table 2

ip rule add from ETH1_IP table 2

should be more or less something like this, though i dont recall if syntax was
exactly like ive wrote above.
big dissadvantage of this solution is utilisation of marks, that might be used
for another purpose.

-- 
Radek ''Goblin'' Pieczonka

On 8/16/07, Виталий Цховребов <mitnlag@yandex.ru>
wrote:
>
> Hello, people.
>
> I read iptables tutorial and lartc, but i'm still confused with one
> trouble.
>
> May be this question was discussed already, so forward me solution, if
> is.
>
> So, there's a trouble.
>
> I have debian etch linux. 2.6.18-4 kernel.
>
> On this computer i have three interfaces: eth0 - my lan, eth1, eth2 -
> providers.
>
> By default all internet traffic routed through eth2. But i NEED to
> route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do
> that?

That is policy routing.

Is it a SNATed firewall? I use below script for a SNATed firewall where I
have two links such as a Leasedline and a ADSL. I route web traffic (both
HTTP and HTTPS -- port tcp 80 and tcp 443) via ADSL link.

YOU want to route mail and icq (tcp110, tcp25, tcp5190) through eth1. pls
change your ports accordinly.

Pls replace gatewayipofprovider1, gatewayipofprovider2, ipofETH1 and
ipofETH2 with yours.

by default, My firewall also routes trafic via eth2 (i.e-
gatewayipofprovider1---
Leasedline or realiplink ) I route http and https traffic via eth1
(i.e- gatewayipofprovider2
--ADSL or adsllink ) .

in your case, it is the SAME.


below is the Script.

echo 210 realiplink >> /etc/iproute2/rt_tables
echo 211 adsllink >> /etc/iproute2/rt_tables

ip route add  <http://203.115.26.65/>gatewayipofprovider1 dev eth2 table
realiplink
ip route add default via gatewayipofprovider1 dev eth2 table realiplink

ip route add gatewayipofprovider2 dev eth1 table adsllink
ip route add default via gatewayipofprovider2 dev eth1 table adsllink

iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 80,443 -j MARK
--set-mark 1

ip rule add fwmark 1 pri 100 table adsllink

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source ipofETH1

echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

ip rule add from ipofETH2 pri 200 table realiplink
ip rule add from ipofETH1 pri 300 table adsllink


Then, issue below command to see routing tables

 ip rule list


PLS NOTE:

In the above script, I have marked OUTPUT trafic as 1. below is the command
I have given

iptables -t mangle -A OUTPUT -p tcp -m multiport --dports 80,443 -j MARK
--set-mark 1

the reason for that is the firewall is itself is a SQUID proxy server. But
not a TRANSPARENT PROXY.
Just acts as a normal proxy. (i.e- I have configured client browsers with ip
address and port 3128.)

 Try with the above script and see if it works. UNLESS it works, pls replace
the above command with this.

iptables -t mangle -A PREROUTING -p tcp -m multiport --dports 80,443 -j MARK
--set-mark 1

or

iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443
-j MARK --set-mark 1


try this nad be HAPPY




_______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


-- 
Thank you
Indunil Jayasooriya


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

One solution would be to mark outbound packets using iptables and then route
them based on the marks.

> Hello, people.
> 
> I read iptables tutorial and lartc, but i''m still confused with
one
> trouble.
> 
> May be this question was discussed already, so forward me solution, if
> is.
> 
> So, there''s a trouble.
> 
> I have debian etch linux. 2.6.18-4 kernel.
> 
> On this computer i have three interfaces: eth0 - my lan, eth1, eth2 -
> providers.
> 
> By default all internet traffic routed through eth2. But i NEED to
> route mail and icq (tcp110, tcp25, tcp5190) through eth1. How can i do
> that?
> 
> Regards, Vitaliy Tskhovrebov.
>

Thanks all who help me, i''ll try solutions soon, and i''ll
write to the
list.

-- 
С уважением,
 Виталий                          mailto:mitnlag@yandex.ru