| X | | A | | B | | Y |
| eth0 |<
>| eth0 | | eth1 |<
>| eth1 |
| eth1 |<
>| eth0 | | eth0 |<
192.168.1.1(eth0) | eth2 |<
>| eth2 |
192.168.3.1(eth2) 192.168.3.2(eth2) [/code:1]
The above diagram shows my network setup. Ip address below the machines are given to each NIC indicated.
machine X has one ethernet card and part of network 192.168.1.0
machine A has three ethernet cards and part of 3 networks 192.168.1.0, 192.168.2.0 and 192.168.3.0
machine B has three ethernet cards and part of 3 networks 192.168.2.0, 192.168.3.0 and 192.168.4.0
machine Y has two ethernet cards and part of 2 networks 192.168.4.0 and internet world
I want to control the traffic going from machine X to Y
as at machine A there are two paths available to go to Y.
my objective is filter traffic at A and send some of it via one path and send other via second path.
I got that this can be done by iptables but as far as my knowledge about iptables is they can only help to filter traffic and either let it go or stop it. i dont know if iptables alone can help me to route the traffic as well.
can you pls help me if i am thinking on the right lines or not.
Iptables can be used to detect packets based on a wide variety of criteria. But what can you do once you match them? The -j argument, as you propably know, defines the target -the action that is to be taken for any packets that are matched. Such arguments are commonly DROP, REJECT and ACCEPT, but there are others. Some of them are offered through unofficial modules, available by patch-o-matic (check
). One of them is the ROUTE target, through which you can route packets matched through a specific gateway or interface. It can be that simple. However, like the author himself notes, this is not very efficient to be done this way and it is suggested that you use IProute2.
IProute2 is an utility suit specifically for such jobs (packet classification, QoS and routing). However it has one distinct disadvantage: it's matching engine, though quite powerful, sucks as far as user friendliness is concerned! It also lucks some of the most advanced matching features of Netfilter (iptables): it can only match packets based on the information they carry on their own headers, so you can't have let's say sophisticated connection tracking or detection of P2P traffic based on traffic patterns, like some netfilter modules provide.
Fortunately, there is the middle path, to get the best of both worlds: the advanced matching features of Netfilter and the flexibility and performance of IPROUTE2. This is done by using fwmark, a special capability of IPtables to MARK matched packets with a specific mark, which IProute2 can be configured to read and classify packets according to it. Classified packets, can then easily be routed through any interface or gateway.
An example of how to do this in practice is mentioned
In the particular example we match packets based solely on their order. However, with minimal changes, you can match packets based on any criteria.