Hello!

I have a system with 4 nics. All 4 nics have internal IPs in different VLANs. Due to firewall restrictions, only one nic has access to to the outside world through a NAT via port 80 and 443.

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.20.21.0 * 255.255.255.0 U 0 0 0 eth2
192.168.21.0 * 255.255.255.0 U 0 0 0 eth1
192.168.20.0 * 255.255.255.0 U 0 0 0 eth0
172.20.20.0 * 255.255.255.0 U 0 0 0 eth3
169.254.0.0 * 255.255.0.0 U 0 0 0 eth3
default 192.168.20.3 0.0.0.0 UG 0 0 0 eth0

This server sits on a DMZ and the eth0 NIC allows this server to communicate with a non DMZ server using the default gw ip that it is currently set to.

What I am trying to do is forward all traffic bound for port 80 to and from eth3. What is the best way to accomplish that? As it is now, all traffic regardless on where attempts to flow through eth0 which again, doesn't have access to the outside world.

Thanks in advanced!

hi jessicaK,

more specific please,
which NIC are internal? which NIC are external/internet?
which NIC is the DMZ?

as you stated previously - that you have 4 NICs - you have to be more specific like from eth3 to where NICs, and from which NICs to eth3?

waiting

Thanks for replying!

All four nics sit behind a dmz, however eth0 communicates to a non-DMZ server via a ssh tunnel and eth3 is nat'd via a firewall to communicate outbound to the internet. I need in particular all http/ssl traffic to flow through eth3 so i can get the ES patches from redhat

hi,

i think you need a PBR for the http/ssl. since i'm not good at speed writing - perhaps you can take a look at my blog here for a basic example. the full linux advanced routing documentation is on http://lartc.org.

HTH.

I love your blog that is great! I read it and followed the instructions but it does seem that it wants to communicate still with eth0 instead of eth3:

netstat -a |grep redhat.com
tcp 0 1 192.168.20.201:54816 www.redhat.com:http SYN_SENT

The IP listed above belongs to eth0

ip rule list
0: from all lookup 255
32764: from all fwmark 0x2 lookup specific.out
32765: from all fwmark 0x1 lookup specific.out
32766: from all lookup main
32767: from all lookup default

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0x1
2 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x2
3 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1
4 MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 MARK set 0x1


Am I missing something?

hi jessicaK,

pls post your #ip route list

yes - you need to define/specify from which NIC the mangle table should handle.

and how you insert that FWMARK to the routing table?

ip route add default <some_command_> ???

this SYN_SENT - your remote target is rejecting your request - so it was not a routing problem i guess.

HTH.

ip route list
172.20.21.0/24 dev eth2 proto kernel scope link src 172.20.21.227
192.168.21.0/24 dev eth1 proto kernel scope link src 192.168.21.85
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.201
172.20.20.0/24 dev eth3 proto kernel scope link src 172.20.20.69
169.254.0.0/16 dev eth3 scope link
default via 172.20.20.5 dev eth3
default via 192.168.20.3 dev eth0


ip rule add fwmark 1 table specific.out
ip rule add fwmark 2 table specific.out

The packets are going out of the box, but the corporate firewall located on another server is what is blocking traffic on all NICs but the eth3.

I appreciate your help, I am clueless when it comes to routing policies, this is turning into a big learning experience which I again appreciate!

Also here is the command i used for mangle:

iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 443 -j MARK --set-mark 1

hi jessicaK,

if you really did that - this output should said that its empty :
so you need to be more patience
ok - you already have the FWMARK and the table, now we need :

example :
ip route add default via <your_eth3_IP_gateway> dev eth3 table specific.out

this should work, observe the output using iptraf on all interface.

for more troubleshooting tool :
# ip route show table specific.out

and do necessary correction.
dont give up - its easy, you can do it

HTH.