Route all HTTP traffic through wired interface on workstation
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The wired network gives me access to the entire web via port 80 and 443, and some internal subnets.
The wireless network gives me complete access to the internet, but not to the internal network (Exchange and development servers).
My ultimate goal is to have all http/https routed over the wired network, as it is faster. Everything else that's not internal should go over the wireless (e.g., AIM, IRC, remote SSH).
I found documentation on iptables and iproute2, and started playing around. I've gotten as far as setting an iptables rule to mark all outgoing http packets, and setting an ip rule to route the marked packets to the wired connection:
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2
ip rule add fwmark 2 table 220
ip route add via 10.20.65.1 dev eth0 table 220
ip route flush cache
As soon as I add the route, outgoing HTTP requests stop responding. 'iptables -vnL -t mangle' lists increasing counts for packets matching my MARK rule, so I assume they're being marked.
At this point I'm stuck at broken HTTP. I've found a lot of documentation about doing this kind of stuff on a Linux router, using the PREROUTING chain, however I haven't found much on routing packets generated from the same machine. Can this be done?
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
The way that Linux handles routing and the firewall is via an alogorithym. There are basically three "areas". Input, Output and Forward corresponding to the chains. If a packet is destined to be forwarded, it doesn't go through the Input or Output chains. It will go through the Forward chain. The Input and Output strictly address the machine that IPTables is running on. So, you have to stop and think about the path that the packets must take a write your rules accordingly. If you are wondering if it is the firewall or not, turn off the firewall and then try it. If it goes through, it must be the firewall. If it doesn't, then it might be a routing issue (i.e., default routes?). Take a look at it and repost.
I think I found at least one of my problems. I setup my routes as described before, and then caught traffic on eth0 with Wireshark while making HTTP requests. The thing that doesn't look right is:
ARP: Who has 10.21.65.1? Tell 192.168.40.183
192.168.40.183 is the wireless NIC's IP. eth0's IP is 10.21.65.149. Does this mean that the source address is being written to the outgoing packet before the routing stage? It seems as though the routing should write 10.21.65.149 as the source address.
Distribution: Linux Redhat 9.0, Fedora Core 2,Debian 3.0, Win 2K, Win95, Win98, WinXp Pro
Posts: 344
Rep:
When you have two interfaces and am trying to route between them, you should have a source nat (snat) statement I believe. That way, all of the traffic coming from interface A is represented to the router as interface A's address. Then it knows what to do with it. Same goes for the other interface. Try that and repost.
When you have two interfaces and am trying to route between them, you should have a source nat (snat) statement I believe. That way, all of the traffic coming from interface A is represented to the router as interface A's address. Then it knows what to do with it. Same goes for the other interface. Try that and repost.
That was it. Adding the SNAT rule makes everything work. Thanks.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.