[lug] forcing certain services to use eth1 instead of eth0
Nate Duehr
nate at natetech.com
Tue Jan 3 16:55:27 MST 2006
Michael Belanger wrote:
> On Tuesday 03 January 2006 14:09, Zan Lynx wrote:
>> iptables -t mangle -j MARK
>> ip rule add fwmark 1 table 1
>> ip route add default table 1 via 1.2.3.4 dev eth1
>>
>> Google the Linux Advanced Routing HOWTO.
>>
>> There's also an iptables ROUTE module that lets you force routing
>> decisions there, if you're using a new enough kernel and iptables
>> combination.
>
>
> I read something similar to your example, but my eyes glazed over.. Not sure I
> understand or even like the word 'MANGLE' when we are talking about email. :)
>
> From what I am reading, this *should* work.. Am I wrong?
>
> # Pass all SMTP traffic through eth1
> -A INPUT -o eth1 -m tcp -p tcp --dport 25 -j ACCEPT
> -A OUTPUT -o eth1 -m tcp -p tcp --sport 25 -j ACCEPT
>
> # Pass all IMAP traffic through eth1
> -A INPUT -o eth1 -p tcp -m tcp --dport 143 --syn -j ACCEPT
> -A INPUT -o eth1 -p tcp -m tcp --dport 993 --syn -j ACCEPT
>
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 143 --syn -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 993 --syn -j ACCEPT
Hang on... seems like you're trying to get too fancy here.
I'm assuming that you've got two different IP addresses on eth0 and eth1?
If so, then on the "inbound from clients" connection -- they're
connecting to the IP on eth1 -- nothing to set up there. Your router
and/or switch should be ARP'ing for that IP and sending the traffic to
the physical port that answers the ARP request. No-brainer.
On the "outbound toward client" side of the connection... your daemon
should be answering using the IP address (socket, really) it received
the connection on? If so... it'd all be going out eth1 also. If the
application isn't doing that, something's not right.
So... I'm not sure why you'd need any firewall rules or anything other
than the correct IP's in everything, including the daemon configurations
for whatever is listening on your machine. Traffic to eth0's IP would
use eth0... traffic to eth1's IP would use eth1...???
Nate
More information about the LUG
mailing list