Routing based on destination ports? [Solved]

regavoga · n00b Joined: 24 May 2005 Posts: 16

Hi!

On my school network, our admin have blocked all ports but 80 and 443. Therefore, we've set up this Gentoo router, and a VPN tunnel to another machine outside the firewall. This VPN tunnel works fine, but is it possible to forward all packets with destination ports 80 or 443 to device eth0 (our school network) and all the others (22 - ssh, as an example) to device tun0 (the tunnel)?

How could this be done?

Thanx,
Ole Martin Handeland

ASID · Apprentice Joined: 22 Mar 2006 Posts: 195

regavoga · n00b Joined: 24 May 2005 Posts: 16

thanx!

but in which table and chain should i have this in?

my current setup:

iptables -t nat -L -v

ASID · Apprentice Joined: 22 Mar 2006 Posts: 195

I'm not sure if I understand correct your topology but I think that you want something like:

regavoga · n00b Joined: 24 May 2005 Posts: 16

wouldn't that change the packets destination adress to (in this case) eth0s address? that wouldn't work, because you've change the destination of the packet, and it will never reach its goal?

update: i added this (the first rule) to the postrouting chain in the nat table:

ASID · Apprentice Joined: 22 Mar 2006 Posts: 195

Isn't that what you want?
Can you please give me more information about the topology of your network. Your box has two network cards and three interfaces? Is it behind the school network with real IPs or NATed?

salam · Apprentice Joined: 29 Sep 2005 Posts: 227

i assume you use the gentoo server where the vpn is as a gateway for your boxes
i think there is no 'common' way to do port based routing
you can do
iptables
iptables -t mangle -A PREROUTING -i $inner_iface -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $inner_iface -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1

so all packets will be marked as 2 and 80+443 as 1

and then use iproute2 to do a mark-based routing
i think you'll also have to NAT your outgoing connections on the gentoo box

ASID · Apprentice Joined: 22 Mar 2006 Posts: 195

regavoga · n00b Joined: 24 May 2005 Posts: 16

thanx alot!!

i actually looked at mark/iproute2, but never worked it out.. sadly, (irony) school is over for today... i will try again tomorrow! (and come back here and whine if it doesn't work :lol:

)

also found this guide: http://www.karnaugh.za.net/show?id=194

Mroofka · Guru Joined: 25 Jan 2005 Posts: 369 Location: Poland

salam · Apprentice Joined: 29 Sep 2005 Posts: 227

from your link i see that (if i am correct) you want to do a load balancing for one box with 2 net adapters
the problem is that this will probably not work for mark based routing at output. because when parsing output chain, the -o device is already decided so you cannot route via another.iface

when you want to use multiple adapters as gateways for differnent traffic, you'll have probably to use iptables route target (patch-o-matic part)

Mroofka · Guru Joined: 25 Jan 2005 Posts: 369 Location: Poland

ok it's one problem thanks for tip. Have you read my secund post from "my" topic. I wrote it few minutes ago and there is another problem

I'm going to look at patch-o-matic but it only let me cheat my system but not resolve this problem in right way :p

Pozdrawiam
_________________
"Make install not love"
registred linux User # 379143

"Ready for Anything; Prepared for everything; Surprised by Nothing !"