LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Force TCP traffic out over specific interface when IP is bound to another local NIC (http://www.linuxquestions.org/questions/linux-networking-3/force-tcp-traffic-out-over-specific-interface-when-ip-is-bound-to-another-local-nic-825845/)

yeager 08-12-2010 12:50 PM

Force TCP traffic out over specific interface when IP is bound to another local NIC
 
I'm hoping some of the Linux network experts can help me with this problem.

Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.

So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.

e.g.

JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.

I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.

Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.

What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database.

My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.

Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance.

If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.

Can anyone help figure out the correct way to do this?

scheidel21 08-13-2010 07:24 AM

This is a doozy that you are asking for It might be doable with iptables, prerouting rules, basically test for TCP traffic and route over interface 1 then second machine routes it back to Interface 2, the problem you face here is the VM knows about both interfaces, there is no way to send traffic to the other subnet without staying on the system unless you specifically route that traffic over the other interface, you need the other rotuer because once it gets to the other machine it needs to traverse to the other subnet and sent back. But you need a third/second VM system to act as a router. Alternatively and much more easily clone the system VM and run a second instance and set the client up on the second VM to connect to the first. I know you say that the demo systems are self contained, but depending on the database size this option might not be bad, change the IP addreses of the Virtual NICs and just let traffic flow from one system to the other.

yeager 08-13-2010 02:30 PM

Quote:

Originally Posted by scheidel21 (Post 4065109)
This is a doozy that you are asking for It might be doable with iptables, prerouting rules, basically test for TCP traffic and route over interface 1 then second machine routes it back to Interface 2, the problem you face here is the VM knows about both interfaces, there is no way to send traffic to the other subnet without staying on the system unless you specifically route that traffic over the other interface, you need the other rotuer because once it gets to the other machine it needs to traverse to the other subnet and sent back. But you need a third/second VM system to act as a router. Alternatively and much more easily clone the system VM and run a second instance and set the client up on the second VM to connect to the first. I know you say that the demo systems are self contained, but depending on the database size this option might not be bad, change the IP addreses of the Virtual NICs and just let traffic flow from one system to the other.

I don't quite understand what you mean by doozy, do you mean easy?

As I said in my original post, creating another separate VM isn't going to be feasible for most systems. I.E. duplicating an 80GB Peoplesoft VM or creating a new VM to just host the database is a huge amount of work. Finding a way to pipe the traffic out, across the database firewall bridge and back would be ideal.

So I think the tasks are;

1. Use iptables to route traffic destined for the database out on a specific interface.
2. The bridge then forwards the packet from interface 1 to 2.
3. Database interface accepts packet and return traffic flows correctly back via bridge

Anyone have some specific config that I can start with?

LVsFINEST 08-13-2010 10:47 PM

By doozy, he means difficult.

I'm not sure about your suggestion, but what about doing something like this:

1. Point JEE app to DB firewall IP instead of local DB (so traffic would leave the box w/o IPtable hacks).
2. Configure DB firewall to analyze received traffic then NAT it back to the JEE DB IP:port

scheidel21 08-14-2010 09:49 PM

Wouldn't setting the IP to access the DB to the other IP still be a moot point, because it is an IP of the system itself the network traffic never get processed by the firewall rules.

yeager 08-16-2010 04:02 PM

Quote:

Originally Posted by LVsFINEST (Post 4065790)
By doozy, he means difficult.

I'm not sure about your suggestion, but what about doing something like this:

1. Point JEE app to DB firewall IP instead of local DB (so traffic would leave the box w/o IPtable hacks).
2. Configure DB firewall to analyze received traffic then NAT it back to the JEE DB IP:port

But my problem is the database firewall is a black box that I can't make changes to and it doesn't expose the ability to modify routing tables. It is essentially just a firewall bridge that watches all the SQL traffic.

yeager 08-16-2010 04:03 PM

Quote:

Originally Posted by scheidel21 (Post 4066604)
Wouldn't setting the IP to access the DB to the other IP still be a moot point, because it is an IP of the system itself the network traffic never get processed by the firewall rules.

Well that is my question, can this be done at all? I was wondering if it was possible to setup a fake IP address that would get placed onto eth0 and have iptables mess with the destination and source data in such a way I could fake the packet over the bridge and back in the other side.

But it seems from the lack of responses that what I want to do isn't possible :(

scheidel21 08-17-2010 09:16 AM

Will this help at all, it seems it might be what you are looking for. http://serverfault.com/questions/127...rnal-interface


All times are GMT -5. The time now is 04:03 PM.