Re: routing based on source IP
Note that all the variables in my examples below (i.e. $eth0_ip) assume
you will replace them with the real values or with variables that have
the correct values.
Leonardo Boselli wrote:
> Question: Hov to route based oin sorce address ?
> System: host with 2.4.22 eth0 eth0:2 eth1 eth2 ippp0 ppp0 ppp1 ppp2
> port usage: eth0 is main port, with a public address on subnet a.b.c.0
> (that has a.b.c.1 as gateway)
> eth0:2 is a virtual port with a 172.16 address for private hosts (dhcp
> supply such addresses with our host as a gateway)
It's not always a great idea to have your public and private networks on
the same ethernet port. Depending on the card, you may have serious
performance issues, not to mention a potential security hole.
> eth1 is used to connect to a DSL modem to a different provider than
> a.b.c.0 [sorry, i do not trust neither one, so i feel better having
two links
> on diferent ISP] and have a single public address.
> eth2 has 192.168.11.10/22 address and is used to connect to a local
> "untrusted" network (whewre everyone can plug his machine and get an
> address by dhcp)
> ippp0 is a dialin line ; with a fixed address from a.b.c.0
> of the 3 ppp [serial] ports two are used for dialin only, and have
two more
> address in public range, the third is port used to conect to a different
> number and "offer" 192.168.8.10/22 as address.
> Requirements:
> having a different routing for packets:
> 1. sourcing from the host itself (that runs apache-ssl squid and
exim-4,
> and all these programs do no have problem in regognizing the sorcue of
> request ) except 5
I don't understand exactly what you're saying here, but if you just want
to allow packets from the firewall/router, just create ACCEPT targets
for OUTPUTs on each of the interfaces (iptables):
iptables -A OUTPUT -o eth0 -j ACCEPT
...
> 2. coming from eth0 with addresses of a.b.c.0/24 with request to route
> should be honoured except that packets with certain ports as destination
> should not be routed. This is the difference i want: packets from the
host
> itself, or from one of the addresses assigned to dialin ports should not
> firewalled !)
iptables -A INPUT -i eth0 -s a.b.c.0/24 -m multiport --dports ! #,#,# -j
ACCEPT
(syntax on above may be a bit off)
> 3. coming from eth0:0 whit address 172.16 (doing snat/dnat then roting
> according the resulting address ! that is if the masqueraded address is
> a.b.c.x then the packets should be routed as in 2, if the address is in
> 192.168.10.0 subnet should be routed as if come from eth2 with this
> address
I'm not sure you can create rules based upon virtual ports. You may
have to go with interface eth0, source address 172.x.x.x\x.
> 4. coming from eth1 only packets to that address.
iptables -A INPUT -i eth1 -d $eth1_ip -j ACCEPT
> 5. packets from local host sent to certains subnets (static list)
should be
> routed via eth1 osing the corresponding address, NO routing should
> occour between eth1 and the other ports
> 6. packets form eth2 should be routed only to eth0:0 (that is 172.16. )
> and to selected hosts in a.b.c.8/29
> 7. packet from dialin ports should be plainly routed if the address is
> a.b.c.x , if the address is 192.168.8.10 the routing should be same
as 6,
> in both cases however NO firefalling should be done on these
> connections, so a remote [but locally authenticated] user can request
any
> port.
I believe you're going to want to take a look at iproute2 (and other
aspects of advanced routing):
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/index.html
Specifically, there is an example for source policy routing (which
interface gets the masquaraded/forwarded packet happens outside of
iptables):
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.simple.html
> 8. of course: if one of the dialin addresses assigned to the 4 ports
of this
> host appear on one of the ethernet ports should not be routed (it
would be
> nice to have a bucket of chilled water trown to the one that did the
misfact
> ... but i fear it cannot be done at kernel level )
You may try submitting a bug report for this. ;)
mickey
Reply to: