Re: [gentoo-user] Re: How to do port-based routing?
On 2008-03-03, Uwe Thiem [EMAIL PROTECTED] wrote: On Monday 03 March 2008, Grant Edwards wrote: I'm trying to figure out how to do port-based routing. I found a HOWTO that does pretty much exactly what I'm trying to do: http://www.linuxhorizon.ro/iproute2.html However, it's using iptables, which I thought was deprecated, Not to my knowledge. I would have sworn that one source I found said that ipchains and iptables were both deprecated in favor of netfilter, but AFAICT, iptables is the user-space portion of netfilter. -- Grant Edwards grante Yow! I Know A Joke!! at visi.com -- gentoo-user@lists.gentoo.org mailing list ipchains is used in the 2.2 kernel. iptables is for the 2.4 and 2.6 kernels. From the netfilter website Software commonly associated with netfilter.org is iptables. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: How to do port-based routing?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Grant Edwards wrote: | AFAICT, iptables is the user-space portion of netfilter. That's correct, yes. - -- Arturo Buanzo Busleiman Reliable inter-continental Mail Relay Service - Ask me! Independent Security Consultant - SANS - OISSG http://www.buanzo.com.ar/pro/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzFJjAlpOsGhXcE0RClhOAJ42syMrYsqqOewSvfMHO2l0UEun/gCcCwWj 7p2xwiazGzCtiU6oiKvkle4= =56WZ -END PGP SIGNATURE- -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: How to do port-based routing?
On Mon, Mar 3, 2008 at 2:36 PM, Grant Edwards [EMAIL PROTECTED] wrote: On 2008-03-03, Jason Carson [EMAIL PROTECTED] wrote: I'm trying to figure out how to do port-based routing. I found a HOWTO that does pretty much exactly what I'm trying to do: http://www.linuxhorizon.ro/iproute2.html However, it's using iptables, which I thought was deprecated, but there are iptables versions as recent at three months ago, so it still seems to be maintained. The above page has references to the Linux Advanced Routing Traffic Control site at www.lartc.org, but that site appears to be long-gone. What's the recommended interface for doing advanced routing stuff? There are many interfaces but they are all frontends to iptables. Personally I just did a lot of reading and built my firewall from scratch. I found shorewall and firestarter, but neither looked very useful to me: 1) They're both designed for configuring firewalls, and I'm not building a firewall machine. 2) Neither seemed to have any way to specify port-based routing. So it looks like plain iptables is the way to go. -- Grant Edwards grante Yow! I want another at RE-WRITE on my CEASAR visi.comSALAD!! -- gentoo-user@lists.gentoo.org mailing list I hate to plug a non-gentoo distro, but if you're building yourself a linux firewall and you want to do so without rtfm'ing, smoothwall is the way to go. -- Dan Cowsill http://www.danthehat.net -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: How to do port-based routing?
Grant Edwards wrote: I found shorewall and firestarter, but neither looked very useful to me: 1) They're both designed for configuring firewalls, and I'm not building a firewall machine. 2) Neither seemed to have any way to specify port-based routing. So it looks like plain iptables is the way to go. I'm not aware of any iptables front end that will also manager policy based routing which is Cisco-ese and maybe general Network-ese for what you're trying to do. However I would use shorewall (or whatever you prefer) to do most of the work and then insert your custom rules where they need to go. All policy routing regardless of actual implementation has you build an ACL of traffic you'd like messed with. Then you need to specify what happens to traffic that matches the ACL. However one thing the original how-to you linked left didn't completely spell out is NAT. You MUST NAT on each interface or you'll have all sorts of routing fun that does not work. kashani -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Re: How to do port-based routing?
Grant Edwards wrote: I don't understand why I have to do NAT. Can you explain why? (Or point me to docs that explain why?) router01.your.network.com eth0 - 10.11.12.1 eth1 - 24.1.2.231 - Comcast eth2 - 64.1.2.132 - Speakeasy Naturally RFC 1918 space is useless outside your network so you have to NAT. However you need to make sure that you are making your policy routing decisions at eth0. You don't want traffic marked as originating from 24.1.2.231 going out eth2 since Speakeasy could (and should) drop traffic that is not origination from its IP space. Additionally traffic will be routing back to your via Comcast connection resulting in asymmetric routing which can increase the chances of packets arriving out of order. router01.your.network.com eth0 - 24.2.3.1/29 eth0 - 64.2.3.1/29 eth1 - 24.1.2.231 - Comcast eth2 - 64.1.2.132 - Speakeasy Same case with this setup even with real IPs. The chances of convincing any ISP to accept routes smaller than /24 from you are tiny. And finding anyone who knows what you even want to do even when you have the IP space is pretty much non-existent. I know, I've tried. Same thing in this case, you'll NAT at eth1 and eth2 and policy router at eth0. If you are doing this from a single machine with two IP's and no other networks or interfaces, it should just work. Linux should use the IP of interface the packet leaves from, but I'd use tcpdump to make sure. kashani -- gentoo-user@lists.gentoo.org mailing list
