Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: iptables for routing

iptables for routing 10 years 4 months ago #15636

  • helloaali
  • helloaali's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
[code:1]



| X | | A | | B | | Y |
| eth0 |<
>| eth0 | | eth1 |<
>| eth1 |
| eth1 |<
>| eth0 | | eth0 |<
> INTERNET
192.168.1.1(eth0) | eth2 |<
>| eth2 |


192.168.4.2(eth1)
192.168.1.2(eth0) 192.168.4.1(eth1)
192.168.2.1(eth1) 192.168.2.2(eth0)
192.168.3.1(eth2) 192.168.3.2(eth2) [/code:1]
Hi,
The above diagram shows my network setup. Ip address below the machines are given to each NIC indicated.
machine X has one ethernet card and part of network 192.168.1.0
machine A has three ethernet cards and part of 3 networks 192.168.1.0, 192.168.2.0 and 192.168.3.0
machine B has three ethernet cards and part of 3 networks 192.168.2.0, 192.168.3.0 and 192.168.4.0
machine Y has two ethernet cards and part of 2 networks 192.168.4.0 and internet world

I want to control the traffic going from machine X to Y
as at machine A there are two paths available to go to Y.
my objective is filter traffic at A and send some of it via one path and send other via second path.

I got that this can be done by iptables but as far as my knowledge about iptables is they can only help to filter traffic and either let it go or stop it. i dont know if iptables alone can help me to route the traffic as well.
can you pls help me if i am thinking on the right lines or not.
The administrator has disabled public write access.

Re: iptables for routing 10 years 4 months ago #15639

  • nske
  • nske's Avatar
  • Offline
  • Expert Member
  • Posts: 613
  • Karma: 0
You are mostly right!

Iptables can be used to detect packets based on a wide variety of criteria. But what can you do once you match them? The -j argument, as you propably know, defines the target -the action that is to be taken for any packets that are matched. Such arguments are commonly DROP, REJECT and ACCEPT, but there are others. Some of them are offered through unofficial modules, available by patch-o-matic (check www.netfilter.org). One of them is the ROUTE target, through which you can route packets matched through a specific gateway or interface. It can be that simple. However, like the author himself notes, this is not very efficient to be done this way and it is suggested that you use IProute2.

IProute2 is an utility suit specifically for such jobs (packet classification, QoS and routing). However it has one distinct disadvantage: it's matching engine, though quite powerful, sucks as far as user friendliness is concerned! It also lucks some of the most advanced matching features of Netfilter (iptables): it can only match packets based on the information they carry on their own headers, so you can't have let's say sophisticated connection tracking or detection of P2P traffic based on traffic patterns, like some netfilter modules provide.

Fortunately, there is the middle path, to get the best of both worlds: the advanced matching features of Netfilter and the flexibility and performance of IPROUTE2. This is done by using fwmark, a special capability of IPtables to MARK matched packets with a specific mark, which IProute2 can be configured to read and classify packets according to it. Classified packets, can then easily be routed through any interface or gateway.

An example of how to do this in practice is mentioned here.
In the particular example we match packets based solely on their order. However, with minimal changes, you can match packets based on any criteria.
The administrator has disabled public write access.

thanks a lot 10 years 4 months ago #15694

  • helloaali
  • helloaali's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hi,
thanks for a detailed explaination.
and the example realy worked for me.
can you point me out some short n quick tutorial about iproute2.

regards

Ali
The administrator has disabled public write access.
Time to create page: 0.078 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup