iptables: how to route specific ports different than default gateway?
Hello List, Can I use iptables to route traffic to or from one port via a different gateway than the default? If so, which is the right target? iptables ... -j REDIRECT? Or should I use a different software for that? Because of dyndns i cannot use the routing table for that hosts... Thanks a lot!! -- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
Am Montag, 3. Januar 2005 17:44 schrieb Markus Feilner:
Hello List,
Can I use iptables to route traffic to or from one port via a different gateway than the default?
If so, which is the right target? iptables ... -j REDIRECT?
Or should I use a different software for that?
... like tc? Or can iproute2 (ip) do that? What would you recommend ? Thanks!!
Because of dyndns i cannot use the routing table for that hosts...
Thanks a lot!!
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 03 January 2005 17:44, Markus Feilner wrote:
Hello List,
Can I use iptables to route traffic to or from one port via a different gateway than the default?
If so, which is the right target? iptables ... -j REDIRECT?
Or should I use a different software for that? Because of dyndns i cannot use the routing table for that hosts...
This seems a bit off topic for a security list, but nevertheless... You create a routing table by entering it into /etc/iproute2/rt_tables, say 10 alter Then you add a default route to that routing table: ip route add <gateway network> dev <device> table alter ip route add default dev <device> via <gateway> src <source ip> table alter Then you mark all packets going to ports x, y, z: iptables -t mangle -I PREROUTING -i <localnet interface> -p tcp -m multiport - --dports x,y,z -j MARK 0x10 Then you add a rule, saying all traffic your firewall marked should be routed using the routing table called alter: ip rule add fwmark 0x10 table alter The example only shows tcp ports, but you can do the same for udp, obviously. Note that packets routed with routing table "alter" will only ever go to the default gateway, unless you add other routes to that routing table. - -- Jure Koren, n.i. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (Darwin) iD8DBQFB2Z5H9iFCvmuhrCIRAsunAJ0SXM9IXFDowUbW4OMOCXxu09SxngCfUSZD 12qJmzldESBYPvRGuip3CAM= =ZzI9 -----END PGP SIGNATURE-----
Am Montag, 3. Januar 2005 20:34 schrieb Jure Koren:
On Monday 03 January 2005 17:44, Markus Feilner wrote:
Hello List,
Can I use iptables to route traffic to or from one port via a different gateway than the default?
If so, which is the right target? iptables ... -j REDIRECT?
Or should I use a different software for that? Because of dyndns i cannot use the routing table for that hosts...
This seems a bit off topic for a security list, but nevertheless...
Well - thanks nevertheless!
You create a routing table by entering it into /etc/iproute2/rt_tables, say 10 alter
Then you add a default route to that routing table: ip route add <gateway network> dev <device> table alter ip route add default dev <device> via <gateway> src <source ip> table alter
Then you mark all packets going to ports x, y, z: iptables -t mangle -I PREROUTING -i <localnet interface> -p tcp -m multiport --dports x,y,z -j MARK 0x10
Then you add a rule, saying all traffic your firewall marked should be routed using the routing table called alter: ip rule add fwmark 0x10 table alter
The example only shows tcp ports, but you can do the same for udp, obviously.
Note that packets routed with routing table "alter" will only ever go to the default gateway, unless you add other routes to that routing table.
-- Jure Koren, n.i.
Thank your very much!!! -- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
participants (2)
-
Jure Koren -
Markus Feilner