* backroute problem
@ 2003-07-23 20:03 Wolfgang Pichler
0 siblings, 0 replies; 5+ messages in thread
From: Wolfgang Pichler @ 2003-07-23 20:03 UTC (permalink / raw)
To: netfilter
hi all,
we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.
the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.
Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:
when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.
I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?
Can i mark the packet's so the the webserver can send them back in the
right direction ?
mfG
Wolfi
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: backroute problem
@ 2003-07-23 21:58 George Vieira
2003-07-24 8:24 ` Wolfgang Pichler
0 siblings, 1 reply; 5+ messages in thread
From: George Vieira @ 2003-07-23 21:58 UTC (permalink / raw)
To: Wolfgang Pichler, netfilter
You have to use iproute2 to route by source IP and not destination (default gateway).
There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
-----Original Message-----
From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
Sent: Thursday, July 24, 2003 6:03 AM
To: netfilter@lists.netfilter.org
Subject: backroute problem
hi all,
we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.
the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.
Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:
when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.
I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?
Can i mark the packet's so the the webserver can send them back in the
right direction ?
mfG
Wolfi
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: backroute problem
2003-07-23 21:58 George Vieira
@ 2003-07-24 8:24 ` Wolfgang Pichler
2003-07-24 11:53 ` Wolfgang Pichler
0 siblings, 1 reply; 5+ messages in thread
From: Wolfgang Pichler @ 2003-07-24 8:24 UTC (permalink / raw)
To: netfilter
i am not an expert - but how can i use iproute2 routing by source ip ?
If i understand the whole thing right then the webserver doesn't get the
ip of the firewall as source ip - it gets the original ip - so - how can
iproute2 then know which packet was comming from the firewall and which
packet was comming from the old gateway.
But another thing come to mind: Wouldn't it be possible to Mark the
packets on the firewall - and then tell iproute2 to route marked packets
to the firewall back ?
mfG
Wolfi
Am Mit, 2003-07-23 um 21.58 schrieb George Vieira:
> You have to use iproute2 to route by source IP and not destination (default gateway).
>
> There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
> -----Original Message-----
> From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
> Sent: Thursday, July 24, 2003 6:03 AM
> To: netfilter@lists.netfilter.org
> Subject: backroute problem
>
>
> hi all,
>
> we have got new ip addresses - the old one's still exists so that i can
> migrate them to the new ones.
>
> the old ip's are directly assigned to the web/mail server (i know that
> this isn't good - but i havn't had a fireall at this time) - now i have
> a seperate firewall which has the new ip's assigned to it.
>
> Now i'd like to change the dns entries so that the traffic goes over the
> new ip's (a 4 MBit line ;-) ) - the problem i have is:
>
> when a packet on the new ip comes then it gets prerouted by the firewall
> to the webserver - the webserver gets the packet with the original
> source address - now to webserver wants to answer to the packet - but
> becuase of the old ip's the webserver have a default route with the old
> ip and try's to route the packet over the old gateway - and not back to
> the firewall... You know - that can't work.
>
> I am now searching for a solution for this problem. Can netfilter help
> me with this problem - or do i have to use iproute (i havn't ever done
> something with iproute) help me ?
>
> Can i mark the packet's so the the webserver can send them back in the
> right direction ?
>
> mfG
> Wolfi
>
>
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: backroute problem
2003-07-24 8:24 ` Wolfgang Pichler
@ 2003-07-24 11:53 ` Wolfgang Pichler
0 siblings, 0 replies; 5+ messages in thread
From: Wolfgang Pichler @ 2003-07-24 11:53 UTC (permalink / raw)
To: netfilter
i've no tryied it with the mark solution
i've done:
(firewall)
$IPTABLES -t mangle -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
MARK --set-mark 1
$IPTABLES -t nat -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j
DNAT --to-destination $LAN_MAILSERVER:25
(Marked the packet with 1 and Prerouted it to the internal mailserver)
(mailserver)
in /etc/iproute2/rt_tables an entrie with "201 newip" (i have no idea
for what 201 stands and i can't find an answer to this in the linux 2.4
advanced Routing howto - can someone point me to the right palce ?)
then
ip rule add fwmark 1 table newip
and
ip route add default via firewall dev eth0 table newip
but it still doesn't work, why ?
mfG
Wolfi
Am Don, 2003-07-24 um 08.24 schrieb Wolfgang Pichler:
> i am not an expert - but how can i use iproute2 routing by source ip ?
> If i understand the whole thing right then the webserver doesn't get the
> ip of the firewall as source ip - it gets the original ip - so - how can
> iproute2 then know which packet was comming from the firewall and which
> packet was comming from the old gateway.
>
> But another thing come to mind: Wouldn't it be possible to Mark the
> packets on the firewall - and then tell iproute2 to route marked packets
> to the firewall back ?
>
> mfG
> Wolfi
>
> Am Mit, 2003-07-23 um 21.58 schrieb George Vieira:
> > You have to use iproute2 to route by source IP and not destination (default gateway).
> >
> > There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look
> >
> > Thanks,
> > ____________________________________________
> > George Vieira
> > Systems Manager
> > georgev@citadelcomputer.com.au
> >
> > Citadel Computer Systems Pty Ltd
> > http://www.citadelcomputer.com.au
> >
> > -----Original Message-----
> > From: Wolfgang Pichler [mailto:madmin@dialog-telekom.at]
> > Sent: Thursday, July 24, 2003 6:03 AM
> > To: netfilter@lists.netfilter.org
> > Subject: backroute problem
> >
> >
> > hi all,
> >
> > we have got new ip addresses - the old one's still exists so that i can
> > migrate them to the new ones.
> >
> > the old ip's are directly assigned to the web/mail server (i know that
> > this isn't good - but i havn't had a fireall at this time) - now i have
> > a seperate firewall which has the new ip's assigned to it.
> >
> > Now i'd like to change the dns entries so that the traffic goes over the
> > new ip's (a 4 MBit line ;-) ) - the problem i have is:
> >
> > when a packet on the new ip comes then it gets prerouted by the firewall
> > to the webserver - the webserver gets the packet with the original
> > source address - now to webserver wants to answer to the packet - but
> > becuase of the old ip's the webserver have a default route with the old
> > ip and try's to route the packet over the old gateway - and not back to
> > the firewall... You know - that can't work.
> >
> > I am now searching for a solution for this problem. Can netfilter help
> > me with this problem - or do i have to use iproute (i havn't ever done
> > something with iproute) help me ?
> >
> > Can i mark the packet's so the the webserver can send them back in the
> > right direction ?
> >
> > mfG
> > Wolfi
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* backroute problem
@ 2003-07-23 20:00 Wolfgang Pichler
0 siblings, 0 replies; 5+ messages in thread
From: Wolfgang Pichler @ 2003-07-23 20:00 UTC (permalink / raw)
To: netfilter
hi all,
we have got new ip addresses - the old one's still exists so that i can
migrate them to the new ones.
the old ip's are directly assigned to the web/mail server (i know that
this isn't good - but i havn't had a fireall at this time) - now i have
a seperate firewall which has the new ip's assigned to it.
Now i'd like to change the dns entries so that the traffic goes over the
new ip's (a 4 MBit line ;-) ) - the problem i have is:
when a packet on the new ip comes then it gets prerouted by the firewall
to the webserver - the webserver gets the packet with the original
source address - now to webserver wants to answer to the packet - but
becuase of the old ip's the webserver have a default route with the old
ip and try's to route the packet over the old gateway - and not back to
the firewall... You know - that can't work.
I am now searching for a solution for this problem. Can netfilter help
me with this problem - or do i have to use iproute (i havn't ever done
something with iproute) help me ?
Can i mark the packet's so the the webserver can send them back in the
right direction ?
mfG
Wolfi
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-07-24 11:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-23 20:03 backroute problem Wolfgang Pichler
-- strict thread matches above, loose matches on Subject: below --
2003-07-23 21:58 George Vieira
2003-07-24 8:24 ` Wolfgang Pichler
2003-07-24 11:53 ` Wolfgang Pichler
2003-07-23 20:00 Wolfgang Pichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.