LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-10-2008, 02:18 PM   #1
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Rep: Reputation: 15
Re-routing outbound traffic


Hello!

I have a system with 4 nics. All 4 nics have internal IPs in different VLANs. Due to firewall restrictions, only one nic has access to to the outside world through a NAT via port 80 and 443.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.20.21.0 * 255.255.255.0 U 0 0 0 eth2
192.168.21.0 * 255.255.255.0 U 0 0 0 eth1
192.168.20.0 * 255.255.255.0 U 0 0 0 eth0
172.20.20.0 * 255.255.255.0 U 0 0 0 eth3
169.254.0.0 * 255.255.0.0 U 0 0 0 eth3
default 192.168.20.3 0.0.0.0 UG 0 0 0 eth0

This server sits on a DMZ and the eth0 NIC allows this server to communicate with a non DMZ server using the default gw ip that it is currently set to.

What I am trying to do is forward all traffic bound for port 80 to and from eth3. What is the best way to accomplish that? As it is now, all traffic regardless on where attempts to flow through eth0 which again, doesn't have access to the outside world.

Thanks in advanced!
 
Old 10-10-2008, 09:27 PM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi jessicaK,

more specific please,
which NIC are internal? which NIC are external/internet?
which NIC is the DMZ?

Quote:
What I am trying to do is forward all traffic bound for port 80 to and from eth3
as you stated previously - that you have 4 NICs - you have to be more specific like from eth3 to where NICs, and from which NICs to eth3?

waiting
 
Old 10-11-2008, 07:09 AM   #3
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rossonieri#1 View Post
hi jessicaK,

more specific please,
which NIC are internal? which NIC are external/internet?
which NIC is the DMZ?



as you stated previously - that you have 4 NICs - you have to be more specific like from eth3 to where NICs, and from which NICs to eth3?

waiting
Thanks for replying!

All four nics sit behind a dmz, however eth0 communicates to a non-DMZ server via a ssh tunnel and eth3 is nat'd via a firewall to communicate outbound to the internet. I need in particular all http/ssl traffic to flow through eth3 so i can get the ES patches from redhat
 
Old 10-11-2008, 01:53 PM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi,

i think you need a PBR for the http/ssl. since i'm not good at speed writing - perhaps you can take a look at my blog here for a basic example. the full linux advanced routing documentation is on http://lartc.org.

HTH.
 
Old 10-13-2008, 01:53 PM   #5
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rossonieri#1 View Post
hi,

i think you need a PBR for the http/ssl. since i'm not good at speed writing - perhaps you can take a look at my blog here for a basic example. the full linux advanced routing documentation is on http://lartc.org.

HTH.
I love your blog that is great! I read it and followed the instructions but it does seem that it wants to communicate still with eth0 instead of eth3:

netstat -a |grep redhat.com
tcp 0 1 192.168.20.201:54816 www.redhat.com:http SYN_SENT

The IP listed above belongs to eth0

ip rule list
0: from all lookup 255
32764: from all fwmark 0x2 lookup specific.out
32765: from all fwmark 0x1 lookup specific.out
32766: from all lookup main
32767: from all lookup default

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0x1
2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x2
3 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1
4 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x1


Am I missing something?
 
Old 10-13-2008, 09:49 PM   #6
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi jessicaK,

pls post your #ip route list

Quote:
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0x1
2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x2
3 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1
4 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x1


Am I missing something?
yes - you need to define/specify from which NIC the mangle table should handle.

and how you insert that FWMARK to the routing table?

ip route add default <some_command_> ???

Quote:
netstat -a |grep redhat.com
tcp 0 1 192.168.20.201:54816 www.redhat.com:http SYN_SENT
this SYN_SENT - your remote target is rejecting your request - so it was not a routing problem i guess.

HTH.
 
Old 10-14-2008, 07:15 AM   #7
jessicaK
LQ Newbie
 
Registered: Dec 2007
Posts: 21

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rossonieri#1 View Post
hi jessicaK,
pls post your #ip route list
ip route list
172.20.21.0/24 dev eth2 proto kernel scope link src 172.20.21.227
192.168.21.0/24 dev eth1 proto kernel scope link src 192.168.21.85
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.201
172.20.20.0/24 dev eth3 proto kernel scope link src 172.20.20.69
169.254.0.0/16 dev eth3 scope link
default via 172.20.20.5 dev eth3
default via 192.168.20.3 dev eth0


Quote:
and how you insert that FWMARK to the routing table?

ip route add default <some_command_> ???
ip rule add fwmark 1 table specific.out
ip rule add fwmark 2 table specific.out

Quote:
this SYN_SENT - your remote target is rejecting your request - so it was not a routing problem i guess.
The packets are going out of the box, but the corporate firewall located on another server is what is blocking traffic on all NICs but the eth3.

I appreciate your help, I am clueless when it comes to routing policies, this is turning into a big learning experience which I again appreciate!

Also here is the command i used for mangle:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 1

Last edited by jessicaK; 10-14-2008 at 07:23 AM.
 
Old 10-14-2008, 03:25 PM   #8
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi jessicaK,

Quote:
Also here is the command i used for mangle:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 1
if you really did that - this output should said that its empty :
Quote:
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0x1
2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x2
so you need to be more patience
ok - you already have the FWMARK and the table, now we need :

Quote:
ip route add default <some_command_> ???
example :
ip route add default via <your_eth3_IP_gateway> dev eth3 table specific.out

this should work, observe the output using iptraf on all interface.

for more troubleshooting tool :
# ip route show table specific.out

and do necessary correction.
dont give up - its easy, you can do it

HTH.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anyone know if IPCOPS can filter outbound traffic? lumix Linux - Security 1 03-25-2007 01:23 PM
shaping outbound traffic to different NICS jasongroves Linux - Networking 1 04-13-2006 08:23 PM
Excessive Outbound Traffic chandramani Linux - Security 1 01-29-2006 11:03 AM
Logging All Incoming / Outbound Traffic technick Linux - Security 1 10-24-2005 02:32 PM
Spike in outbound traffic- where to look? htmlcoder Linux - Security 3 03-19-2005 03:13 PM


All times are GMT -5. The time now is 11:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration