I have a Linux (Ubuntu Edgy) workstation that I use at work. I have access to two separate networks via a wireless and a wired connections:

eth0: ip=10.20.65.xx, gateway=10.20.65.1 [wired]
eth1: ip=192.168.40.xx, gateway=192.168.40.1 [wireless]

The wired network gives me access to the entire web via port 80 and 443, and some internal subnets.
The wireless network gives me complete access to the internet, but not to the internal network (Exchange and development servers).

My ultimate goal is to have all http/https routed over the wired network, as it is faster. Everything else that's not internal should go over the wireless (e.g., AIM, IRC, remote SSH).

I found documentation on iptables and iproute2, and started playing around. I've gotten as far as setting an iptables rule to mark all outgoing http packets, and setting an ip rule to route the marked packets to the wired connection:

iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2
ip rule add fwmark 2 table 220
ip route add via 10.20.65.1 dev eth0 table 220
ip route flush cache

As soon as I add the route, outgoing HTTP requests stop responding. 'iptables -vnL -t mangle' lists increasing counts for packets matching my MARK rule, so I assume they're being marked.

At this point I'm stuck at broken HTTP. I've found a lot of documentation about doing this kind of stuff on a Linux router, using the PREROUTING chain, however I haven't found much on routing packets generated from the same machine. Can this be done?

Thanks

The way that Linux handles routing and the firewall is via an alogorithym. There are basically three "areas". Input, Output and Forward corresponding to the chains. If a packet is destined to be forwarded, it doesn't go through the Input or Output chains. It will go through the Forward chain. The Input and Output strictly address the machine that IPTables is running on. So, you have to stop and think about the path that the packets must take a write your rules accordingly. If you are wondering if it is the firewall or not, turn off the firewall and then try it. If it goes through, it must be the firewall. If it doesn't, then it might be a routing issue (i.e., default routes?). Take a look at it and repost.

I think I found at least one of my problems. I setup my routes as described before, and then caught traffic on eth0 with Wireshark while making HTTP requests. The thing that doesn't look right is:

ARP: Who has 10.21.65.1? Tell 192.168.40.183

192.168.40.183 is the wireless NIC's IP. eth0's IP is 10.21.65.149. Does this mean that the source address is being written to the outgoing packet before the routing stage? It seems as though the routing should write 10.21.65.149 as the source address.

When you have two interfaces and am trying to route between them, you should have a source nat (snat) statement I believe. That way, all of the traffic coming from interface A is represented to the router as interface A's address. Then it knows what to do with it. Same goes for the other interface. Try that and repost.

That was it. Adding the SNAT rule makes everything work. Thanks.

You're quite welcome! That's what we are all here for.