Routing return traffic based on the NIC of the incoming traffic?

adamk75 · 12-07-2011, 06:59 AM

I have host A with two NICs. One NIC(1) is at 192.168.0.36, the other NIC(2) is directly on the internet. The default route for host A is the router on the internet (so traffic is routed through NIC(2). Host B is at 192.168.0.10 and is a firewall connected to the internet, on a completely different subnet from host A, NIC(2). Host A and B have no problems connecting to each other over the 192.168.0.0 network.

I have a web server running on host A, bound to both NICs. I can connect to the server over the internet using the IP address for host A, NIC(2). The firewall on host B is configured to forward port 80 to 192.168.0.36. If I try to bring up the web page by connecting to the external IP address on that firewall, though, it never comes up. Packets obviously reach host A, though, as tcpdump on host A shows:

Code:

07:50:16.582844 IP some-remote-machine-on-the-internet-that-I-am-testing-from.34458 > 192.168.0.36.www: S 1006697601:1006697601(0) win 14600 <mss 1460,sackOK,timestamp 1027543073 0,nop,wscale 4>

Now, if I change the route for some-remote-machine-on-the-internet-that-I-am-testing-from to 192.168.0.10, the page will come up. If I change the default route for all network traffic to 192.168.0.10, anyone connecting to the external IP address on the firewall will get the web page. But then, of course, any attempted connection to the IP address on NIC(2) will fail.

Is it possible to have host A route data through a specific route/nic depending on the NIC the connection originates from?

jefro · 12-07-2011, 03:08 PM

I am not sure I fully understand this. For the most part you can't easily select a nic for outgoing and a nic for incomming. IT can be done but this isn't what I think you are asking.

You can only use tcp/ip rules to route traffic. If nic a connects to a server then it has to by the rules of routing. Same for nic b. Nic a and nic b can't usually connect to this server because of rules both in hardware and software. Only one nic will take over.

We get back to a few issues. One is how tcp/ip works and how routers work and how a layer 7+ can work. My guess is you could use a layer 7+ router or some specialized device to then choose routes but a normal linux install doesn't easily allow that. And there is no normal reason.

Again I may misunderstand what you are trying to do.

adamk75 · 12-07-2011, 03:11 PM

Yeah, I don't think I made it very clear, but that's alright... I've configured the firewall to route port 80 to a machine that is only on the internal network, and has squid running a reverse http proxy to connect to the webserver in question.

Now to see if I can find a reverse ftp proxy. That would make my day :-)

Adam

TimothyEBaldwin · 12-11-2011, 04:27 AM

You can use "ip rule" to select an alternative routing table by source address.