[LARTC] Route based on port / protocol
Chris Bennett
chris@symbio.com
Thu, 25 Nov 2004 23:33:28 -0600
This is a multi-part message in MIME format.
------=_NextPart_000_0016_01C4D347.2A70C9B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MensagemMy solution to this exact problem isn't exactly what you asked =
for, but I'll tell you anyway because it turned out to be soooo easy and =
work soooo well.
On my LAN I created a /23 subnet. For example, lets say it is =
192.168.2.0/23, giving us 192.168.2.0 - 192.168.3.255. I then made all =
IPs in the lower half of the subnet (192.168.2.0/24) access the internet =
through ISP-1, and all the IPs in the upper half of the subnet =
(192.168.3.0/24) access the internet through ISP-2.
Then I multi-homed my servers, so one server might have, for example, =
the IPs 192.168.2.2 and 192.168.3.2. After that, directing traffic for =
a particular service is as simple as specifying which IP to use for the =
service (instead of allowing the service to use ALL IPs). I haven't yet =
run into a service that wouldn't allow me to do this.
That's about it.
Btw, when setting up filters and such for a particular machine, I can =
use a netmask of the form 255.255.254.255 so that both of the IPs are =
handled in one rule...
There may be a better way to do this that more closely matches what you =
are trying to do with specific ports and such.. but this multi-homing =
approach is working great for me.
Chris
----- Original Message -----=20
From: Antonio Luiz=20
To: lartc@mailman.ds9a.nl=20
Sent: Thursday, November 25, 2004 2:08 PM
Subject: [LARTC] Route based on port / protocol
I have a Linux Box with 3 NIC's connected to 2 different ISP's running =
a Proxy (Squid) and E-mail server (QMail).
________
| |-- x.x.x.1 ---- =
x.x.x.2 (ISP-1 gateway)
| Squid |
LAN ------- 10.85.1.85 --| |
| Qmail |
| |-- y.y.y.1 ---- =
y.y.y.2 (ISP-2 gateway)
--------------
All is running OK. But now, I want do redirect all traffic from Squid =
(http) to ISP-1 and all traffic from QMail (smtp) to ISP-2.
Anyone can help me ?
I've already tried this, but no success:
# Create two tables (21 and 31) to use with each connection=20
# Copy main route to table 31
ip route show table main | grep -Ev ^default | \
while read ROUTE ; do \
ip route add table 31 $ROUTE; \
done
# use ISP-1 as default gateway for table 31
ip route replace default via x.x.x.2 table 31
# Copy main route to table 21
ip route show table main | grep -Ev ^default | \
while read ROUTE ; do \
ip route add table 21 $ROUTE; \
done
# use ISP-2 as default gateway for table 21
ip route replace default via y.y.y.2 table 21
# Mark packages (1 or ISP-1 e 2 for ISP-2)
# here, I've tried to change OUTPUT for POSTROUTING and PREROUTING =
without success
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2
# Define rules to use the correct connection
ip rule add from x.x.x.1 table 31
ip rule add fwmark 1 table 31
ip rule add from y.y.y.1 table 21
ip rule add fwmark 2 table 21
Antonio Luiz=20
------=_NextPart_000_0016_01C4D347.2A70C9B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Mensagem</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Courier New" size=3D2>My solution to this exact =
problem isn't=20
exactly what you asked for, but I'll tell you anyway because it turned =
out to be=20
soooo easy and work soooo well.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>On my LAN I created a /23 =
subnet. For=20
example, lets say it is 192.168.2.0/23, giving us 192.168.2.0 -=20
192.168.3.255. I then made all IPs in the lower half of the subnet =
(192.168.2.0/24) access the internet through ISP-1, and all the IPs in =
the upper=20
half of the subnet (192.168.3.0/24) access the internet through=20
ISP-2.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Then I multi-homed my servers, =
so one=20
server might have, for example, the IPs 192.168.2.2 and=20
192.168.3.2. After that, directing traffic for a particular =
service=20
is as simple as specifying which IP to use for the service (instead of =
allowing=20
the service to use ALL IPs). I haven't yet run into a service that =
wouldn't allow me to do this.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>That's about it.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Btw, when setting up filters =
and such for a=20
particular machine, I can use a netmask of the form 255.255.254.255 so =
that both=20
of the IPs are handled in one rule...</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>There may be a better way to do =
this that=20
more closely matches what you are trying to do with specific ports and =
such..=20
but this multi-homing approach is working great for me.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Chris</FONT></DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dantoniol.ds@darte.com.br=20
href=3D"mailto:antoniol.ds@darte.com.br">Antonio Luiz</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dlartc@mailman.ds9a.nl=20
href=3D"mailto:lartc@mailman.ds9a.nl">lartc@mailman.ds9a.nl</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Thursday, November 25, =
2004 2:08=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [LARTC] Route based on =
port /=20
protocol</DIV>
<DIV><BR></DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>I =
have a Linux Box=20
with 3 NIC's connected to 2 different ISP's running a Proxy (Squid) =
and E-mail=20
server (QMail).</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
=20
________</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
=20
| =
|--=20
x.x.x.1 ---- x.x.x.2 (ISP-1 gateway)</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
=20
| Squid |</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>LAN =
-------=20
10.85.1.85 =
--| =20
|</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
=20
| Qmail |</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
=20
| =
|--=20
y.y.y.1 ---- y.y.y.2 (ISP-2 =
gateway)</SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004> &nbs=
p;  =
; =
--------------</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>All =
is running OK.=20
But now, </SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004>I want do redirect all traffic from Squid =
(http) to=20
ISP-1 and all traffic from QMail (smtp) to ISP-2.</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004>Anyone can help me=20
?</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>I've =
already tried=20
this, but no success:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004><FONT face=3DArial=20
size=3D2><SPAN class=3D432521112-23112004> # Create two tables =
(21 and 31)=20
to use with each connection </SPAN></FONT></DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT><FONT face=3DArial =
size=3D2><SPAN=20
class=3D432521112-23112004> # Copy main route to table=20
31</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
route show=20
table main | grep -Ev ^default | \<BR> while read ROUTE ; =
do=20
\<BR> ip route add table 31 $ROUTE;=20
\<BR> done</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004> # use=20
ISP-1 as default gateway for table 31<BR>ip route replace default =
via=20
x.x.x.2 table 31<BR></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT><FONT face=3DArial =
size=3D2><SPAN=20
class=3D432521112-23112004> # Copy main route to table=20
21</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
route show=20
table main | grep -Ev ^default | \<BR> while read ROUTE ; =
do=20
\<BR> ip route add table 21 $ROUTE;=20
\<BR> done</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004> # use=20
ISP-2 as default gateway for table 21<BR>ip route replace default =
via=20
y.y.y.2 table 21<BR></SPAN></FONT></DIV>
<DIV></SPAN></FONT><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004> # Mark packages (1 or ISP-1 e =
2 for=20
ISP-2)</SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004><FONT face=3DArial=20
size=3D2><SPAN class=3D432521112-23112004> # here, I've =
tried to=20
change OUTPUT for POSTROUTING and PREROUTING without=20
success</SPAN></FONT></DIV></DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004>iptables -t mangle=20
-A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004>iptables -t mangle=20
-A OUTPUT -p tcp --dport 25 -j MARK --set-mark 2</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN =
class=3D432521112-23112004> # Define=20
rules to use the correct connection</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
rule add from=20
x.x.x.1 table 31</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
rule add fwmark=20
1 table 31</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
rule add from=20
y.y.y.1 table 21</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D432521112-23112004>ip =
rule add fwmark=20
2 table 21</SPAN></FONT></DIV></SPAN></FONT></DIV></SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><SPAN=20
=
class=3D432521112-23112004></SPAN></FONT> </DIV></SPAN></FONT></DIV>=
<DIV><FONT face=3DArial size=3D2><SPAN=20
class=3D432521112-23112004></SPAN></FONT> </DIV>
<DIV><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Arial"><SPAN=20
style=3D"mso-spacerun: yes"><FONT face=3DArial><FONT=20
=
size=3D2> &nbs=
p; =20
Antonio Luiz <BR></FONT></FONT></DIV></SPAN></SPAN></DIV>
<DIV> </DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0016_01C4D347.2A70C9B0--