[gentoo-user] Re: [OT] Redirecting traffic for a TCP port to another gateway

2017-03-29 Thread Kai Krakow 
Am Wed, 29 Mar 2017 19:30:11 +1100
schrieb Adam Carter :

> >
> > schrieb Dan Johansson :  
> >>  
>  [...]  
> >>  
> The general term for that is "policy routing".
> 
> If you're doing it to hack around some network weirdness that you
> cant fix because you dont have control of the network, it might be a
> necessary evil, but its generally a bad idea, Think about routing
> asymmetry, and whether you should use a NAT to prevent that side
> effect.

There are two gateways that probably will NAT. The machine itself does
not NAT as far as I understood. So there will be no problem with
asymmetric routing. Setting up NAT on an internal machine not being the
gateway itself would be unnecessary evil. And it would not help this
case as you still need to route packets to the proper (still internal)
gateway.

-- 
Regards,
Kai

Replies to list-only preferred.

Re: [gentoo-user] Re: [OT] Redirecting traffic for a TCP port to another gateway

2017-03-29 Thread Adam Carter 
>
> schrieb Dan Johansson :
>>
>>>
>>> Is it possible, using iptables or something equivalent, to redirect
>>> traffic to some specific TCP ports to another gateway than the
>>> default-gateway?
>>>
>>
The general term for that is "policy routing".

If you're doing it to hack around some network weirdness that you cant fix
because you dont have control of the network, it might be a necessary evil,
but its generally a bad idea, Think about routing asymmetry, and whether
you should use a NAT to prevent that side effect.

Re: [gentoo-user] Re: [OT] Redirecting traffic for a TCP port to another gateway

2017-03-29 Thread Dan Johansson 

On 2017-03-28 21:48, Kai Krakow wrote:

Am Tue, 28 Mar 2017 21:26:05 +0200
schrieb Dan Johansson :


Is it possible, using iptables or something equivalent, to redirect
traffic to some specific TCP ports to another gateway than the
default-gateway?

Eg.

Host 192.168.1.100/24 has a default-gateway of 192.168.1.1
Now I want to send all traffic from this host to destination-tcp-port
80 to gateway 192.168.2.1 instead (the host has a second interface
with the address 192.168.2.100/24 as well).
I only want the traffic to port 80 to go thru this GW (and then to
its final destination).
And port 80 is just an example, it could be port 12345 as well.

Is this possible? If yes, any suggestion on how to do it?


If I understand you correctly, you want to do the redirect decision on
the source machine 192.168.1.100, and not on the default gateway
192.168.1.1.


Yes, correct, that is the way I want it.


This means you need to mark packages with iptables, and then doing the
routing based on the mark. For this, you need to setup policy routing.
Look here:

http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html


That link looks promising, it is quite close to my planned setup/needs.


That example uses port 25 instead of 80. It marks packets, and then
creates a second routing table to use for such marked packets.


That is not a problem as I was only using port 80 as an example.

Thanks for the link, my google searches did not find that :-(

D/\N

[gentoo-user] Re: [OT] Redirecting traffic for a TCP port to another gateway

2017-03-28 Thread Kai Krakow 
Am Tue, 28 Mar 2017 21:26:05 +0200
schrieb Dan Johansson :

> Slight Off-topic, but at least the host are Gentoo.
> 
> Is it possible, using iptables or something equivalent, to redirect 
> traffic to some specific TCP ports to another gateway than the 
> default-gateway?
> 
> Eg.
> 
> Host 192.168.1.100/24 has a default-gateway of 192.168.1.1
> Now I want to send all traffic from this host to destination-tcp-port
> 80 to gateway 192.168.2.1 instead (the host has a second interface
> with the address 192.168.2.100/24 as well).
> I only want the traffic to port 80 to go thru this GW (and then to
> its final destination).
> And port 80 is just an example, it could be port 12345 as well.
> 
> Is this possible? If yes, any suggestion on how to do it?

If I understand you correctly, you want to do the redirect decision on
the source machine 192.168.1.100, and not on the default gateway
192.168.1.1.

This means you need to mark packages with iptables, and then doing the
routing based on the mark. For this, you need to setup policy routing.
Look here:

http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

That example uses port 25 instead of 80. It marks packets, and then
creates a second routing table to use for such marked packets.

-- 
Regards,
Kai

Replies to list-only preferred.