Routing HTTP Through Another Link

Routing HTTP Through Another Link

[Diogo Sperb Schneider]

Greetings!

I gave up on that old web-based firewall and now I'm running plain
CentOS 4.8 with 3 ethernet adapters:

eth0 = LAN
eth1 = WAN
eth2 = ADSL

So I tried the following:

ip route add default via 189.30.16.65 dev eth1 table WAN # < 1 in
/etc/iproute2/rt_tables
ip route add default via 192.168.2.1 dev eth2 table ADSL # < 2 in
/etc/iproute2/rt_tables
ip rule add from all fwmark 1 table WAN
ip rule add from all fwmark 2 table ADSL
iptables -t mangle -I PREROUTING -i eth0 -p tcp --dport 80 -j MARK
--set-mark 2 # Tried with -I and -A with same effect

(Got those from the Linux Advanced Routing mini HOWTO)

Still, when I browse IP detection websites I get my WAN IP address.

Just for the record; My other relevant netfilter rules are:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
189.30.16.66 # <- my adapter's IP address
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source
192.168.2.254 # <- my adapter's IP address
iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT # HTTP

Many thanks for reading!

Diogo

Re: Routing HTTP Through Another Link

[Diogo Sperb Schneider]

Well, I ended up separating link usage between servers and
workstations, rather than by service.

A few magic words did the trick for me:

ip route add default via $WAN_IP_ADDR dev eth1 table WAN
ip route add default via $ADSL_IP_ADDR dev eth2 table ADSL
ip rule add from $SERVER_NETWORK table WAN

Thanks anyway!

Re: Routing HTTP Through Another Link

[Marek Kierdelewicz]

>Greetings!

Hello,

>So I tried the following:
>ip route add default via 189.30.16.65 dev eth1 table WAN # < 1 in
>...

Very strange it didn't work. Everything in your config seemed OK. Did
you try flushing route cache after reconfig? You can do this with "ip ro
flush cache".

Cheers
Marek

RE: Routing HTTP Through Another Link

[Diogo Sperb Schneider]

Hello, Marek!

> iptables -t mangle -A PREROUTING -i LAN_INTERFACE -m multiport --dport
> 80,443 -j ROUTE --oif WWW_ONLY_LINK
> iptables -t nat -A POSTROUTING -o WWW_ONLY_LINK -j MASQUERADE

I tried that, adding "-p tcp" on the first command, because iptables complained about it.

It didn't work, making my navigation completely stop. I don't get instant errors from the browser, but it tries to connect endlessly.

I've tried tuning a few rules and changing orders with the existing rules for the main link, but the result is the same. I'm kinda clueless about what to do next, so if you have any more tips I'd really appreciate.

By the way, the web interface doesn't allow me to specify the --oif option, just --gw so I have set it to the gateway of the alternative link. I thought the basic routing table should take care of the rest.

PS: I've just realized our conversation has gone off the list, so I'm putting it back on it again.

_________________________________________________________________
Você sabia que com o Hotmail você tem espaço ilimitado para guardar seus e-mails? Começe a usar já!
http://www.microsoft.com/brasil/windows/windowslive/products/hotmail.aspx

Re: Routing HTTP Through Another Link

[Marek Kierdelewicz]

>Greetings!

Hello Diogo!

>I'd like to route my HTTP traffic (ports 80 and 443) through a separate
>link, but I'm not sure if I must use the ROUTE target or even how to

You can use policy routing with MARK:

iptables -t nat -A PREROUTING -i LAN_INTERFACE -m multiport --dport
80,443 -j MARK --set-mark 0x10
iptables -t nat -A POSTROUTING -o WWW_ONLY_LINK -j MASQUERADE

ip ru add fwmark 0x10 table 100 prio 100
ip ro add default via WWW_LINK_GW table 100

assumption: WWW_LINK_GW (gateway address of www-onlu link) is always
the same

Be sure to place MASQ rule before SNAT rule you've written about or
specify an output interface in SNAT rule.

You can find "ip" in "iproute2" package in any distro I think.

Best regards,
Marek

Routing HTTP Through Another Link

[Diogo Sperb Schneider]

Greetings!

I'd like to route my HTTP traffic (ports 80 and 443) through a separate link, but I'm not sure if I must use the ROUTE target or even how to use it.
My main link has it's own static IP address, so I have SNAT doing the address translation. (working)

My second link is a dynamic-IP DSL, so I believe NAT rules will need MASQUERADE instead.

Could somebody please post a sample ruleset that does the trick?

Many thanks in advance.

Best regards,
Diogo


_________________________________________________________________
Acesse seu Hotmail de onde quer que esteja através do celular. Clique aqui.
http://www.windowslive.com.br/celular/home.asp?utm_source=MSN_Hotmail&utm_medium=Tagline&utm_campaign=MobileServices200908