routing based on source IP

To: debian-firewall@lists.debian.org
Subject: routing based on source IP
From: "Leonardo Boselli" <leo@dicea.unifi.it>
Date: Sun, 04 Jan 2004 19:02:07 +0100
Message-id: <[🔎] 3FF8632F.17840.669F8B@localhost>

Question: Hov to route based oin sorce address ?
System: host with 2.4.22 eth0 eth0:2 eth1 eth2 ippp0 ppp0 ppp1 ppp2
port usage: eth0 is main port, with a public address on subnet a.b.c.0 
(that has a.b.c.1 as gateway)
eth0:2 is a virtual port with a 172.16 address for private hosts (dhcp 
supply such addresses with our host as a gateway)
eth1 is used to connect to a DSL modem to a different provider than 
a.b.c.0 [sorry, i do not trust neither one, so i feel better having two links 
on diferent ISP] and have a single public address.
eth2 has 192.168.11.10/22 address and is used to connect to a local 
"untrusted" network (whewre everyone can plug his machine and get an 
address by dhcp)
ippp0 is a dialin line ; with a fixed address from a.b.c.0
of the 3 ppp [serial] ports two are used for dialin only, and have two more 
address in public range, the third is port used to conect to a different 
number and "offer" 192.168.8.10/22 as address. 
Requirements:
 having a different routing for packets:
1.   sourcing from the host itself (that runs apache-ssl squid and exim-4, 
and all these programs do no have problem in regognizing the sorcue of 
request ) except 5
2.   coming from eth0 with addresses of a.b.c.0/24 with request to route 
should be honoured except that packets with certain ports as destination 
should not be routed. This is the difference i want: packets from the host 
itself, or from one of the addresses assigned to dialin ports should not 
firewalled !) 
3.   coming from eth0:0 whit address 172.16 (doing snat/dnat then roting 
according the resulting address ! that is if the masqueraded address is 
a.b.c.x then the packets should be routed as in 2, if the address is in 
192.168.10.0 subnet should be routed as if come from eth2 with this 
address
4.  coming from eth1 only packets to that address.
5.  packets from local host sent to certains subnets (static list) should be 
routed via eth1 osing the corresponding address, NO routing should 
occour between eth1 and the other ports
6. packets form eth2 should be routed only to eth0:0 (that is 172.16. ) 
and to selected hosts in a.b.c.8/29 
7.  packet from dialin ports should be plainly routed if the address is 
a.b.c.x , if the address is 192.168.8.10 the routing should be same as 6, 
in both cases however NO firefalling should be done on these 
connections, so a remote [but locally authenticated] user can request any 
port.
8. of course: if one of the dialin addresses assigned to the 4 ports of this 
host appear on one of the ethernet ports should not be routed (it would be 
nice to have a bucket of chilled water trown to the one that did the misfact 
... but i fear it cannot be done at kernel level )

Is possible at least point 1 to 7 ?
--
Leonardo Boselli
Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile
Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze
tel +39 0554796431 cell +39 3488605348 fax +39 055495333
http://www.dicea.unifi.it/~leo

Reply to:

Follow-Ups:
- Re: routing based on source IP
  - From: Mickey Mullin <mickey@dreamwolf.us>

Prev by Date: Re: your mail [was: keine verbindung durch router dns wird aufgelöst]
Next by Date: Package e2fsprogs-devel.deb
Previous by thread: unsubscribe
Next by thread: Re: routing based on source IP
Index(es):
- Date
- Thread