Re-routing outbound traffic
Hello!
I have a system with 4 nics. All 4 nics have internal IPs in different VLANs. Due to firewall restrictions, only one nic has access to to the outside world through a NAT via port 80 and 443. Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172.20.21.0 * 255.255.255.0 U 0 0 0 eth2 192.168.21.0 * 255.255.255.0 U 0 0 0 eth1 192.168.20.0 * 255.255.255.0 U 0 0 0 eth0 172.20.20.0 * 255.255.255.0 U 0 0 0 eth3 169.254.0.0 * 255.255.0.0 U 0 0 0 eth3 default 192.168.20.3 0.0.0.0 UG 0 0 0 eth0 This server sits on a DMZ and the eth0 NIC allows this server to communicate with a non DMZ server using the default gw ip that it is currently set to. What I am trying to do is forward all traffic bound for port 80 to and from eth3. What is the best way to accomplish that? As it is now, all traffic regardless on where attempts to flow through eth0 which again, doesn't have access to the outside world. Thanks in advanced! |
hi jessicaK,
more specific please, which NIC are internal? which NIC are external/internet? which NIC is the DMZ? Quote:
waiting :) |
Quote:
All four nics sit behind a dmz, however eth0 communicates to a non-DMZ server via a ssh tunnel and eth3 is nat'd via a firewall to communicate outbound to the internet. I need in particular all http/ssl traffic to flow through eth3 so i can get the ES patches from redhat |
hi,
i think you need a PBR for the http/ssl. since i'm not good at speed writing - perhaps you can take a look at my blog here for a basic example. the full linux advanced routing documentation is on http://lartc.org. HTH. |
Quote:
netstat -a |grep redhat.com tcp 0 1 192.168.20.201:54816 www.redhat.com:http SYN_SENT The IP listed above belongs to eth0 ip rule list 0: from all lookup 255 32764: from all fwmark 0x2 lookup specific.out 32765: from all fwmark 0x1 lookup specific.out 32766: from all lookup main 32767: from all lookup default Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0x1 2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x2 3 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1 4 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x1 Am I missing something? |
hi jessicaK,
pls post your #ip route list Quote:
and how you insert that FWMARK to the routing table? ip route add default <some_command_> ??? Quote:
HTH. |
Quote:
172.20.21.0/24 dev eth2 proto kernel scope link src 172.20.21.227 192.168.21.0/24 dev eth1 proto kernel scope link src 192.168.21.85 192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.201 172.20.20.0/24 dev eth3 proto kernel scope link src 172.20.20.69 169.254.0.0/16 dev eth3 scope link default via 172.20.20.5 dev eth3 default via 192.168.20.3 dev eth0 Quote:
ip rule add fwmark 2 table specific.out Quote:
I appreciate your help, I am clueless when it comes to routing policies, this is turning into a big learning experience which I again appreciate! Also here is the command i used for mangle: iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 1 |
hi jessicaK,
Quote:
Quote:
ok - you already have the FWMARK and the table, now we need : Quote:
ip route add default via <your_eth3_IP_gateway> dev eth3 table specific.out this should work, observe the output using iptraf on all interface. for more troubleshooting tool : # ip route show table specific.out and do necessary correction. dont give up - its easy, you can do it :) HTH. |
All times are GMT -5. The time now is 10:45 AM. |