LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-12-2010, 12:50 PM   #1
yeager
LQ Newbie
 
Registered: Apr 2010
Posts: 5

Rep: Reputation: 0
Force TCP traffic out over specific interface when IP is bound to another local NIC


I'm hoping some of the Linux network experts can help me with this problem.

Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.

So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.

e.g.

JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.

I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.

Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.

What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database.

My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.

Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance.

If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.

Can anyone help figure out the correct way to do this?
 
Old 08-13-2010, 07:24 AM   #2
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
This is a doozy that you are asking for It might be doable with iptables, prerouting rules, basically test for TCP traffic and route over interface 1 then second machine routes it back to Interface 2, the problem you face here is the VM knows about both interfaces, there is no way to send traffic to the other subnet without staying on the system unless you specifically route that traffic over the other interface, you need the other rotuer because once it gets to the other machine it needs to traverse to the other subnet and sent back. But you need a third/second VM system to act as a router. Alternatively and much more easily clone the system VM and run a second instance and set the client up on the second VM to connect to the first. I know you say that the demo systems are self contained, but depending on the database size this option might not be bad, change the IP addreses of the Virtual NICs and just let traffic flow from one system to the other.
 
Old 08-13-2010, 02:30 PM   #3
yeager
LQ Newbie
 
Registered: Apr 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by scheidel21 View Post
This is a doozy that you are asking for It might be doable with iptables, prerouting rules, basically test for TCP traffic and route over interface 1 then second machine routes it back to Interface 2, the problem you face here is the VM knows about both interfaces, there is no way to send traffic to the other subnet without staying on the system unless you specifically route that traffic over the other interface, you need the other rotuer because once it gets to the other machine it needs to traverse to the other subnet and sent back. But you need a third/second VM system to act as a router. Alternatively and much more easily clone the system VM and run a second instance and set the client up on the second VM to connect to the first. I know you say that the demo systems are self contained, but depending on the database size this option might not be bad, change the IP addreses of the Virtual NICs and just let traffic flow from one system to the other.
I don't quite understand what you mean by doozy, do you mean easy?

As I said in my original post, creating another separate VM isn't going to be feasible for most systems. I.E. duplicating an 80GB Peoplesoft VM or creating a new VM to just host the database is a huge amount of work. Finding a way to pipe the traffic out, across the database firewall bridge and back would be ideal.

So I think the tasks are;

1. Use iptables to route traffic destined for the database out on a specific interface.
2. The bridge then forwards the packet from interface 1 to 2.
3. Database interface accepts packet and return traffic flows correctly back via bridge

Anyone have some specific config that I can start with?
 
Old 08-13-2010, 10:47 PM   #4
LVsFINEST
Member
 
Registered: Aug 2006
Posts: 94

Rep: Reputation: 21
By doozy, he means difficult.

I'm not sure about your suggestion, but what about doing something like this:

1. Point JEE app to DB firewall IP instead of local DB (so traffic would leave the box w/o IPtable hacks).
2. Configure DB firewall to analyze received traffic then NAT it back to the JEE DB IPort
 
Old 08-14-2010, 09:49 PM   #5
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Wouldn't setting the IP to access the DB to the other IP still be a moot point, because it is an IP of the system itself the network traffic never get processed by the firewall rules.
 
Old 08-16-2010, 04:02 PM   #6
yeager
LQ Newbie
 
Registered: Apr 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by LVsFINEST View Post
By doozy, he means difficult.

I'm not sure about your suggestion, but what about doing something like this:

1. Point JEE app to DB firewall IP instead of local DB (so traffic would leave the box w/o IPtable hacks).
2. Configure DB firewall to analyze received traffic then NAT it back to the JEE DB IPort
But my problem is the database firewall is a black box that I can't make changes to and it doesn't expose the ability to modify routing tables. It is essentially just a firewall bridge that watches all the SQL traffic.
 
Old 08-16-2010, 04:03 PM   #7
yeager
LQ Newbie
 
Registered: Apr 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by scheidel21 View Post
Wouldn't setting the IP to access the DB to the other IP still be a moot point, because it is an IP of the system itself the network traffic never get processed by the firewall rules.
Well that is my question, can this be done at all? I was wondering if it was possible to setup a fake IP address that would get placed onto eth0 and have iptables mess with the destination and source data in such a way I could fake the packet over the bridge and back in the other side.

But it seems from the lack of responses that what I want to do isn't possible
 
Old 08-17-2010, 09:16 AM   #8
scheidel21
Senior Member
 
Registered: Feb 2003
Location: CT
Distribution: Debian PPC/i386/AMD64 6/7, Vista, XP , WIN7, Server 03/08
Posts: 1,287

Rep: Reputation: 97
Will this help at all, it seems it might be what you are looking for. http://serverfault.com/questions/127...rnal-interface
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Send traffic from one application out a specific interface? xamindar Linux - Networking 6 08-08-2011 06:22 PM
tcp proxy with one nic, redirect traffic to other IP RattleSn@ke Linux - Networking 3 03-09-2009 07:34 AM
Force packets to a specific interface glowe Linux - Networking 1 06-13-2007 03:43 PM
how to force sendmail to use a specific interface Finlay Linux - Networking 5 05-14-2006 03:13 PM
Force outbound reply traffic to reuse inbound non-gw NIC? Jon- Linux - Networking 2 03-05-2002 04:50 PM


All times are GMT -5. The time now is 12:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration