- Posts: 3
- Thank you received: 0
iptables for routing
18 years 2 months ago #15636
by helloaali
iptables for routing was created by helloaali
[code:1]
| X | | A | | B | | Y |
| eth0 |<
>| eth0 | | eth1 |<
>| eth1 |
| eth1 |<
>| eth0 | | eth0 |<
> INTERNET
192.168.1.1(eth0) | eth2 |<
>| eth2 |
192.168.4.2(eth1)
192.168.1.2(eth0) 192.168.4.1(eth1)
192.168.2.1(eth1) 192.168.2.2(eth0)
192.168.3.1(eth2) 192.168.3.2(eth2) [/code:1]
Hi,
The above diagram shows my network setup. Ip address below the machines are given to each NIC indicated.
machine X has one ethernet card and part of network 192.168.1.0
machine A has three ethernet cards and part of 3 networks 192.168.1.0, 192.168.2.0 and 192.168.3.0
machine B has three ethernet cards and part of 3 networks 192.168.2.0, 192.168.3.0 and 192.168.4.0
machine Y has two ethernet cards and part of 2 networks 192.168.4.0 and internet world
I want to control the traffic going from machine X to Y
as at machine A there are two paths available to go to Y.
my objective is filter traffic at A and send some of it via one path and send other via second path.
I got that this can be done by iptables but as far as my knowledge about iptables is they can only help to filter traffic and either let it go or stop it. i dont know if iptables alone can help me to route the traffic as well.
can you pls help me if i am thinking on the right lines or not.
| X | | A | | B | | Y |
| eth0 |<
>| eth0 | | eth1 |<
>| eth1 |
| eth1 |<
>| eth0 | | eth0 |<
> INTERNET
192.168.1.1(eth0) | eth2 |<
>| eth2 |
192.168.4.2(eth1)
192.168.1.2(eth0) 192.168.4.1(eth1)
192.168.2.1(eth1) 192.168.2.2(eth0)
192.168.3.1(eth2) 192.168.3.2(eth2) [/code:1]
Hi,
The above diagram shows my network setup. Ip address below the machines are given to each NIC indicated.
machine X has one ethernet card and part of network 192.168.1.0
machine A has three ethernet cards and part of 3 networks 192.168.1.0, 192.168.2.0 and 192.168.3.0
machine B has three ethernet cards and part of 3 networks 192.168.2.0, 192.168.3.0 and 192.168.4.0
machine Y has two ethernet cards and part of 2 networks 192.168.4.0 and internet world
I want to control the traffic going from machine X to Y
as at machine A there are two paths available to go to Y.
my objective is filter traffic at A and send some of it via one path and send other via second path.
I got that this can be done by iptables but as far as my knowledge about iptables is they can only help to filter traffic and either let it go or stop it. i dont know if iptables alone can help me to route the traffic as well.
can you pls help me if i am thinking on the right lines or not.
18 years 2 months ago #15639
by nske
Replied by nske on topic Re: iptables for routing
You are mostly right!
Iptables can be used to detect packets based on a wide variety of criteria. But what can you do once you match them? The -j argument, as you propably know, defines the target -the action that is to be taken for any packets that are matched. Such arguments are commonly DROP, REJECT and ACCEPT, but there are others. Some of them are offered through unofficial modules, available by patch-o-matic (check www.netfilter.org ). One of them is the ROUTE target, through which you can route packets matched through a specific gateway or interface. It can be that simple. However, like the author himself notes, this is not very efficient to be done this way and it is suggested that you use IProute2.
IProute2 is an utility suit specifically for such jobs (packet classification, QoS and routing). However it has one distinct disadvantage: it's matching engine, though quite powerful, sucks as far as user friendliness is concerned! It also lucks some of the most advanced matching features of Netfilter (iptables): it can only match packets based on the information they carry on their own headers, so you can't have let's say sophisticated connection tracking or detection of P2P traffic based on traffic patterns, like some netfilter modules provide.
Fortunately, there is the middle path, to get the best of both worlds: the advanced matching features of Netfilter and the flexibility and performance of IPROUTE2. This is done by using fwmark, a special capability of IPtables to MARK matched packets with a specific mark, which IProute2 can be configured to read and classify packets according to it. Classified packets, can then easily be routed through any interface or gateway.
An example of how to do this in practice is mentioned here .
In the particular example we match packets based solely on their order. However, with minimal changes, you can match packets based on any criteria.
Iptables can be used to detect packets based on a wide variety of criteria. But what can you do once you match them? The -j argument, as you propably know, defines the target -the action that is to be taken for any packets that are matched. Such arguments are commonly DROP, REJECT and ACCEPT, but there are others. Some of them are offered through unofficial modules, available by patch-o-matic (check www.netfilter.org ). One of them is the ROUTE target, through which you can route packets matched through a specific gateway or interface. It can be that simple. However, like the author himself notes, this is not very efficient to be done this way and it is suggested that you use IProute2.
IProute2 is an utility suit specifically for such jobs (packet classification, QoS and routing). However it has one distinct disadvantage: it's matching engine, though quite powerful, sucks as far as user friendliness is concerned! It also lucks some of the most advanced matching features of Netfilter (iptables): it can only match packets based on the information they carry on their own headers, so you can't have let's say sophisticated connection tracking or detection of P2P traffic based on traffic patterns, like some netfilter modules provide.
Fortunately, there is the middle path, to get the best of both worlds: the advanced matching features of Netfilter and the flexibility and performance of IPROUTE2. This is done by using fwmark, a special capability of IPtables to MARK matched packets with a specific mark, which IProute2 can be configured to read and classify packets according to it. Classified packets, can then easily be routed through any interface or gateway.
An example of how to do this in practice is mentioned here .
In the particular example we match packets based solely on their order. However, with minimal changes, you can match packets based on any criteria.
18 years 2 months ago #15694
by helloaali
Replied by helloaali on topic thanks a lot
Hi,
thanks for a detailed explaination.
and the example realy worked for me.
can you point me out some short n quick tutorial about iproute2.
regards
Ali
thanks for a detailed explaination.
and the example realy worked for me.
can you point me out some short n quick tutorial about iproute2.
regards
Ali
Time to create page: 0.118 seconds