LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Centos IP tables DNAT (https://www.linuxquestions.org/questions/linux-networking-3/centos-ip-tables-dnat-738410/)

jsmithis101 07-07-2009 02:59 PM
Centos IP tables DNAT
 
I have a box with two nics, one with say, 192.168.1.20 (eth0) the other interface is 192.168.1.21 (eth1). The default route table has (eth0) as interface with the default gateway

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.20 * 255.255.255.0 U 0 0 0 eth0
192.168.1.21 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 1192.168.1.1 0.0.0.0 UG 0 0 0 eth0


The issue I'm having is this box is acting as a reverse proxy using apache, I have a site that will only allow incoming connections (192.168.1.22) from eth1 (192.168.1.21), anything coming from eth0 will be blocked. As eth0 is the default gateway, all traffic (port 80) is being sent out on this interface, thus getting rejected. Is their a simple way with say iptables to say traffic going to 192.168.1.22 has to leave eth1 ?

gratuitous_arp 07-07-2009 07:49 PM
Quote:
Is their a simple way with say iptables to say traffic going to 192.168.1.22 has to leave eth1 ?
If you want traffic destined for 192.168.1.22 to leave eth1 instead of eth0, you can configure a static route as such:

ip route add 192.168.1.22/32 dev eth1 via <next hop IP>

Shouldn't have to do anything extra with iptables for what you are describing.

jsmithis101 07-07-2009 08:58 PM
Sorry, still kind of a newbie.

What would be the next hop ? the gateway ?

gratuitous_arp 07-08-2009 02:20 PM
From your description, it sounds like the next hop IP address would be 192.168.1.22.

For example, if you have two PCs (PC A and PC B) cabled into a switch, and you're configuring a route pointing to PC A on PC B, the next hop IP address will be the IP address of PC A. This tells PC B that the "next hop" to get to PC A is the IP address of PC A. If clients are connecting to you from behind a router (on a different subnet), the next hop IP address will be the internal IP address of your router, because packets have to "hop" through your router.

This is an OK description: http://en.wikipedia.org/wiki/Hop_(networking)

You're simply telling your computer what IP address it has to do an ARP request for, so it knows what MAC address to put in the Ethernet header before it sends the packet out. In your case, it sounds like you want this to be the MAC address of 192.168.1.22, not your router.

So you'd have this:

ip route add 192.168.1.22/32 dev eth1 via 192.168.1.22

jsmithis101 09-21-2009 05:10 PM
I finally got around to giving this a go, It does work, But how do I get the route to stick after reboots ?

evilted 09-21-2009 10:35 PM
put the line in /etc/rc.local

jsmithis101 09-22-2009 08:19 AM
Ok, Thanks, Now is it possible to add static routes to virtual adapters? I want to add eth1:0 but it doesn't appear to be working.

ip route add 192.168.25.47/32 via 192.168.91.21 dev eth1:0

that doens't return a error, but when i type route it only shows eth1


All times are GMT -5. The time now is 07:17 PM.