- Posts: 4
- Thank you received: 0
FORWARD packets based on destination port
18 years 10 months ago #13547
by evicon
FORWARD packets based on destination port was created by evicon
Hi all,
I'm a really new Ipcop user, and a really new forum user
I'd like to know if there is a way to redirect all the traffic from a ip range or a full ip class based on the protocol used to a different gateway insteand of the traditional one.
Just to let u understand my delirium:
I've this situation
2 gateway, one is serving a lan the other another lan
I'd like to forward all the ftp or smtp, even if is not using a standard port, traffic of one lan to the other.
is there a magin iptables rules to do this .
Many thanks,
evicon
sorry for the double post.. the emotion....
I'm a really new Ipcop user, and a really new forum user
I'd like to know if there is a way to redirect all the traffic from a ip range or a full ip class based on the protocol used to a different gateway insteand of the traditional one.
Just to let u understand my delirium:
I've this situation
2 gateway, one is serving a lan the other another lan
I'd like to forward all the ftp or smtp, even if is not using a standard port, traffic of one lan to the other.
is there a magin iptables rules to do this .
Many thanks,
evicon
sorry for the double post.. the emotion....
18 years 10 months ago #13551
by DaLight
Replied by DaLight on topic Re: FORWARD packets based on destination port
Welcome to firewall.cx, evicon. If you would like to redirect packets based on protocol to a specific host i.e. redirect all smtp traffic from to a different SMTP server, x.x.x.x it's quite trivial:
[code:1]iptables -v -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to x.x.x.x:25[/code:1]
If on the other hand you want to redirect the traffic to a different GATEWAY, you will need to use a combination of iptables and routing commands. Hopefully, someone with a better grasp of setting up routes than myself should be able to jump in. But the basic theory is that you can get iptables to MARK traffic based on protocol, and you then set up routing rules to forward to different gateways based on that.
A solution using two IPCOPs can be found in this thread , but it will only work for protocols like HTTP, HTTPS, FTP, etc that can be proxied by Squid. In addition for non-HTTP traffic, you will need to manually configure your clients. So it's probably not ideal.
Let us know how you get on.
[code:1]iptables -v -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to x.x.x.x:25[/code:1]
If on the other hand you want to redirect the traffic to a different GATEWAY, you will need to use a combination of iptables and routing commands. Hopefully, someone with a better grasp of setting up routes than myself should be able to jump in. But the basic theory is that you can get iptables to MARK traffic based on protocol, and you then set up routing rules to forward to different gateways based on that.
A solution using two IPCOPs can be found in this thread , but it will only work for protocols like HTTP, HTTPS, FTP, etc that can be proxied by Squid. In addition for non-HTTP traffic, you will need to manually configure your clients. So it's probably not ideal.
Let us know how you get on.
18 years 10 months ago #13560
by evicon
Replied by evicon on topic Re: FORWARD packets based on destination port
thanks for ur time.
If I've understand ur hint... I should remark my smtp traffic with a iptables rules to a "fake ip" than route whit a well done route table all the traffic from that fake ip as I want. right?
p.s. why should be trivial (if for trivial ur meaning senseless)? redirecting to another smtp(attached to another ISP) insteand the default one, in some cases, will let me load balance the connection per protocols, no?
If I've understand ur hint... I should remark my smtp traffic with a iptables rules to a "fake ip" than route whit a well done route table all the traffic from that fake ip as I want. right?
p.s. why should be trivial (if for trivial ur meaning senseless)? redirecting to another smtp(attached to another ISP) insteand the default one, in some cases, will let me load balance the connection per protocols, no?
18 years 10 months ago #13564
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: FORWARD packets based on destination port
Evicon,
Once again, welcome to Firewall.cx.
To help you deal with the problem your facing, can you please confirm what you need help with as I was unable to get a clear picture
Here's a diagram of what I understand you need:
LAN
|
|---Gateway1---Internet
|
Gateway2
Internet
You need to forward specific packets (FTP and smtp) out of your lan via Gateway2, while the rest of the packets use Gateway1 ;
Can you please confirm this?
Once again, welcome to Firewall.cx.
To help you deal with the problem your facing, can you please confirm what you need help with as I was unable to get a clear picture
Here's a diagram of what I understand you need:
LAN
|
|---Gateway1---Internet
|
Gateway2
Internet
You need to forward specific packets (FTP and smtp) out of your lan via Gateway2, while the rest of the packets use Gateway1 ;
Can you please confirm this?
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
18 years 9 months ago #13579
by evicon
Replied by evicon on topic Re: FORWARD packets based on destination port
Yes Chris. Exactly what I need, I started to read some Iptables manuls and I see there is a way with the mark option of iptables.. If I understood well.
Thanks to all for the welcom, I'm really happy to be here!
Thanks to all for the welcom, I'm really happy to be here!
18 years 9 months ago #13600
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: FORWARD packets based on destination port
evicon,
Your mostly welcome and we hope to see you become one of our regular members.
You are correct, Iptables is able to perform the work you require without any problem. I've got this setup working for a number of customers, marking and routing packets as needed and I can confirm its stable and reliable.
Let me quickly note that I forgot a small (but important) detail in the diagram I created. Between the LAN and two gateways, you've got your Linux box that performs the routing between all networks.
So the diagram should look like this:
[code:1]LAN(10.0.0.0/24)
|
|
|LINUX|
|---Gateway1(192.168.0.1)---Internet
|
Gateway2(192.168.0.2)
Internet [/code:1]
So, without further delay, here's how the story goes:
1) All hosts in your LAN will obviously have one configured gateway, that is, the Linux router.
2) Your Linux router will have two possible gateways. Since we need to provide one default gateway to the Linux router, we assume Gateway1 is the default gateway. This means that everything sent to the Linux router will go out Gateway1 (for now).
If no default gateway exists, for the above diagram you can use the following command:
[code:1]route add default gw 192.168.0.1[/code:1]
3) Enable packet forwarding on your Linux router:
[code:1]echo 1 > /proc/sys/net/ipv4/ip_forward[/code:1]
4) Create your necessary routing tables so that we can use them in conjunction with the packet marking:
In /etc/iproute2/rt_tables create the following entries:
[code:1]2 T2
3 T3[/code:1]
Here's what the file should look like:
[code:1]#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
2 T2
3 T3[/code:1]
Here we now have two more routing tables called 'T2' and 'T3'
While we will only use the 'T2' table, I created the 'T3' table just to illustrate we can have as many routing tables as we need.
Note: Step 5 and beyond can be inserted into one file e.g 'rules', that will be executed during startup e.g place 'sh /etc/rc.d/rules' into your /etc/rc.d/rc.local file to ensure its executed each time your Linux router boots.
5) Now we need to set 'T2's routing table default gateway:
[code:1]ip route add default via 192.168.0.2 table T2[/code:1]
6) Next step is to create a rule to instruct the Linux router to forward all packets marked as '4' (this is just a random number) through routing table 'T2' with a preference of 2 (sort of a priority as I understand it):
[code:1]ip rule add fwmark 4 pref 2 table T2[/code:1]
7) Last bit of the puzzle involves marking the appropriate packets.
Here we have selected to mark all ftp & http packets from our local lan (10.0.0.0) to firewall.cx:
[code:1]iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -p tcp -d 204.157.10.72 --dport 21 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -p tcp -d 204.157.10.72 --dport 80 -j MARK --set-mark 4[/code:1]
Obviously, you'll need to modify the options in iptables to mark the packets you like. These marked packets are the ones we want to send through the 2nd gateway.
Remember - keep things simple. Set your default gateway and then use the above process to mark the packets you explicitly want to route through the 2nd gateway.
If you have any problem, we will be here:)
Hope we've covered you 100%.
Cheers,
Your mostly welcome and we hope to see you become one of our regular members.
You are correct, Iptables is able to perform the work you require without any problem. I've got this setup working for a number of customers, marking and routing packets as needed and I can confirm its stable and reliable.
Let me quickly note that I forgot a small (but important) detail in the diagram I created. Between the LAN and two gateways, you've got your Linux box that performs the routing between all networks.
So the diagram should look like this:
[code:1]LAN(10.0.0.0/24)
|
|
|LINUX|
|---Gateway1(192.168.0.1)---Internet
|
Gateway2(192.168.0.2)
Internet [/code:1]
So, without further delay, here's how the story goes:
1) All hosts in your LAN will obviously have one configured gateway, that is, the Linux router.
2) Your Linux router will have two possible gateways. Since we need to provide one default gateway to the Linux router, we assume Gateway1 is the default gateway. This means that everything sent to the Linux router will go out Gateway1 (for now).
If no default gateway exists, for the above diagram you can use the following command:
[code:1]route add default gw 192.168.0.1[/code:1]
3) Enable packet forwarding on your Linux router:
[code:1]echo 1 > /proc/sys/net/ipv4/ip_forward[/code:1]
4) Create your necessary routing tables so that we can use them in conjunction with the packet marking:
In /etc/iproute2/rt_tables create the following entries:
[code:1]2 T2
3 T3[/code:1]
Here's what the file should look like:
[code:1]#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
2 T2
3 T3[/code:1]
Here we now have two more routing tables called 'T2' and 'T3'
While we will only use the 'T2' table, I created the 'T3' table just to illustrate we can have as many routing tables as we need.
Note: Step 5 and beyond can be inserted into one file e.g 'rules', that will be executed during startup e.g place 'sh /etc/rc.d/rules' into your /etc/rc.d/rc.local file to ensure its executed each time your Linux router boots.
5) Now we need to set 'T2's routing table default gateway:
[code:1]ip route add default via 192.168.0.2 table T2[/code:1]
6) Next step is to create a rule to instruct the Linux router to forward all packets marked as '4' (this is just a random number) through routing table 'T2' with a preference of 2 (sort of a priority as I understand it):
[code:1]ip rule add fwmark 4 pref 2 table T2[/code:1]
7) Last bit of the puzzle involves marking the appropriate packets.
Here we have selected to mark all ftp & http packets from our local lan (10.0.0.0) to firewall.cx:
[code:1]iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -p tcp -d 204.157.10.72 --dport 21 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -s 10.0.0.0/24 -p tcp -d 204.157.10.72 --dport 80 -j MARK --set-mark 4[/code:1]
Obviously, you'll need to modify the options in iptables to mark the packets you like. These marked packets are the ones we want to send through the 2nd gateway.
Remember - keep things simple. Set your default gateway and then use the above process to mark the packets you explicitly want to route through the 2nd gateway.
If you have any problem, we will be here:)
Hope we've covered you 100%.
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.181 seconds