Iptables / routing to destination address through interface
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables / routing to destination address through interface
hey all,
this is the scenario, i have a squid transparent proxy set up thats working rather nicely. Now i have 4 network adapters, 3 of which connect me to the internet. My question is, is it possible to let a particular interface (network card) handle the connection to an address say yahoo.com ?
So, from the user end, they type in "yahoo.com" it goes to the squid proxy, checks the cache, goes to the iptable /route , sees that destination yahoo.com is to go through eth1.
You know... i'd just written a post that said that that was dumb and pointless and impossible. then i go away and actaully see if it is possible, and lo.. looks like it is to some extent. i'm not a great iptables fan, so i can't provide actual examples, but grepping through the iptables manpage shows that you can use a string match target and then there is the route destination to point it in a certain direction. here's a link to an OLD doc about the string match http://www.securityfocus.com/infocus/1531 and the syntax looks fairly logical, assuming it's still correct. and the route side is here: http://www.netfilter.org/patch-o-mat...om-extra-ROUTE impressive huh?
I played around with the netfilter extras (patch-o-matic) but couldnt get it to compile cleanly on my kernel (2.6.16.11), but i dont think the iptables will work because i already have transparent proxy set up that takes all incoming port 80 requests and forwards them to port 3128, if i put a next rule just under that it wont match it since they're gonna mathc the transparent proxy rule.
Now for squid to handle requests, it has to go through a gateway rite, now is there any table that i can manipulate to handle the outgoing connections?
Im thinkin in the direction of ip rule/ip route commands, but not too sure about this.
well it's not squids place to decide how to route. you could set static routes on your system for different destinations, which is what i was originally going to suggest, but be clear of the levels of seperate between a proxy and a router. as for the iptables rules, if you can get the extras working, i don't see an issue, just as long as you match the right traffic, i.e. packets from your local address, i.e.g squid going out to the web with a string match for a yahoo url or whatever. note that the string match would find the url, which would never be changed in a transparent proxy.
Well i did some playing around and got the string matching part to work, but not the ROUTE part
for those of you who want to do this, heres what i did:
i got a source (2.6.16.5) from kernel.org
untared to folder, got a copy of iptables (1.3.5) and
untared that too, got me a copy of patch-o-matic-ng
and untared also. I ran the p-o-m (./runme extras) giving the folders with kernel source and iptables
source and apply the patch i want (ROUTE). Next, i
start a xmenuconfig and compile the kernel making sure
the "string" match option and "ROUTE" option are being
installed as modules. Compilation and install goes
fine, i reboot to the new kernel, and then install the iptables
that was patched earlier, now i test the new commands :
iptables -m string -h
which displays a little help on the string match, just to be sure its installed properly, next i try a command out:
now the string matching works because i tried it out with a different -j option
but apparently the ROUTE target is unknown. Can anyone help me set this up
properly?
Ok so i've given up tryin to get the "-j ROUTE" to work, Instead im gonna mark the packets and use the kernel routing table to get the packets to go where i want. The problem that i have with this is that even thought the packets are being marked (I checked using "iptables -t mangle -vnL") it doesnt seem to be going through the correct route. I;ve followed this guide :
but all traffic goes through the default route and not the marked one.
# ip rule gives:
0: from all lookup local
200: from all fwmark 0x4 lookup 201
32766: from all lookup main
32767: from all lookup default
# ip route show table 201
default via 192.168.77.2 dev eth3
the iptables command i use to mark is:
# iptables -t mangle -A PREROUTING -m string --algo bm --string "yahoo.com" -j MARK --set-mark 0×4
i've also flushed the route cache,....any help? I did some playing around with iptables and found that the packets are being marked, but dont know why they arent matching the routing table.
Thanks.
Edit : Figured out the prob was squid didnt support these marks, so changed PREROUTING chain to OUTPUT and it works fine.
Thanks all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.