Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Iptables / Iproute2 conditional forwarding based on destination IP
New Posts  All Forums:Forum Nav:

Iptables / Iproute2 conditional forwarding based on destination IP

post #1 of 6
Thread Starter 
I work at a place where there are two main networks that are not accessible from each other due to a configuration error outside my hands. Let us call these networks RED and BLUE. While setting up a server on one of these networks, it occured to me that if I put three network cards in a server, I could connect this server to both RED and BLUE at the same time, and then connect clients to the third network card (GREEN). Packets with a destination host in 192.168.0.0 would be routed through BLUE, and packets with a destination host in 192.168.1.0 would be routed through RED (the IP's are examples only).

I have set up forwarding and NAT'ing between the networks, and certain things do work, but not all. I can now access all hosts (internal and external) on RED, but only internal hosts on BLUE, which is a problem because the point of doing this is to be able to access external hosts on BLUE. This means I can print stuff from RED even though the printer server is on BLUE, but I cannot access the webservers provided on BLUE.

I tried to remedy this by setting up iproute2 to do things to the packets:
IP route list:
Code:
default via 192.168.1.1 dev RED  metric 100 
192.168.0.0/21 dev BLUE  proto kernel  scope link  src 192.168.0.16 
13.37.13.0/24 dev GREEN  proto kernel  scope link  src 13.37.13.1 
169.254.0.0/16 dev RED  scope link  metric 1000 
192.168.1.0/24 dev RED  proto kernel  scope link  src 192.168.1.222

IP rule list:
Code:
0:   from all lookup local 
32765:  from all fwmark 0x1 lookup BLUE
32766:  from all lookup main 
32767:  from all lookup default 

/etc/iproute2/rt_tables content:
Code:
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
1 RED
2 BLUE

ifconfig output:
Code:
BLUE Link encap:Ethernet  HWaddr 54:04:a6:db:ea:bd  
          inet addr:192.168.0.16  Bcast:192.168.7.255  Mask:255.255.248.0
          inet6 addr: fe80::5604:a6ff:fedb:eabd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:38318 errors:0 dropped:0 overruns:0 frame:0
          TX packets:182 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4742985 (4.7 MB)  TX bytes:24241 (24.2 KB)
          Interrupt:18 Memory:f8100000-f8120000 

RED Link encap:Ethernet  HWaddr 54:04:a6:db:e9:70  
          inet addr:192.168.1.222  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5604:a6ff:fedb:e970/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:858886 errors:0 dropped:0 overruns:0 frame:0
          TX packets:954039 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:596057518 (596.0 MB)  TX bytes:865908104 (865.9 MB)
          Interrupt:19 Memory:fa200000-fa220000 

GREEN    Link encap:Ethernet  HWaddr 00:22:64:2b:19:76  
          inet addr:13.37.13.1  Bcast:13.37.13.255  Mask:255.255.255.0
          inet6 addr: fe80::222:64ff:fe2b:1976/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:14365 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18121 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1427957 (1.4 MB)  TX bytes:23561016 (23.5 MB)

For the FWMARK rule to work, I have these iptables settings:

Assuming 1.2.3.0/21 is the IP range for the external hosts I want access to. However, it doesn't seem that iproute does anything special with the packets. Is there any way I can log what iproute does?

Also, I have noticed that the PREROUTING table is not listed when I run iptables --list, and my rules for setting marks are not listed when I run iptables --list-rules, but they are listed in the webmin interface, which I was told to use by several tutorials.
Edited by CritiCal - 6/27/13 at 6:23am
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #2 of 6
Hello,
it would help a lot if you could draw a plan of your network and post it here.
From what I understand, there are 2 different ip networks and you want to create a router to have them to be able to comunicate.
Are you using a DHCP server ? Do you have a WAN connexion, network equipements ? What is your server's primary role, is it a router or a firewall ?
deus ex machina
(14 items)
 
  
Reply
deus ex machina
(14 items)
 
  
Reply
post #3 of 6
Thread Starter 
Excuse the low quality, drawing is not my forte.



Both RED and BLUE are WAN connections, but different WAN connections; one serves as a backup to the other. However, BLUE is also used in many other locations around the country (it is a LAN spread over a large area) and has many webservers, email servers and such that are not accessible from RED, because it is incorrectly configured (TTL expires in transit), and the people tasked with this can't/won't fix it. This is why I am trying to set up a LAN (GREEN) that is able to access both the web servers on BLUE through using the 192.168.0.16 interface, and the servers on RED using the 192.168.1.222 interface.

I am using DHCP on GREEN, with DNSmasq's built in DHCP server. RED and BLUE have static addresses. The server's primary role in this case would be router, firewall is not something we're bothered with quite yet as the only users are my colleague and I.

Now, the strange thing is that those addresses on BLUE that are in the 192.168.0.0 network are accessible, but those that are in the 1.2.3.0 network (external part of BLUE) are not accessible.
Edited by CritiCal - 6/27/13 at 11:10pm
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #4 of 6
Thread Starter 
I believe the problem is with iproute or its configuration, as the iptables log clearly shows that the packages are marked.
Code:
2013-06-28T11:44:31.088874+02:00 2isa-vhost-01 kernel: [ 4434.977648] 
IN=GREEN OUT= MAC=00:22:64:2b:19:76:44:1e:a1:ca:38:c0:08:00 SRC=13.37.13.101
DST=1.2.3.69 LEN=92 TOS=0x00 PREC=0x00 TTL=12 ID=5321 PROTO=ICMP TYPE=8
 CODE=0 ID=1 SEQ=264 MARK=0x1

Edited by CritiCal - 6/28/13 at 5:33am
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #5 of 6
thats an odd network layout redface.gif
post #6 of 6
Thread Starter 
Quite. It has to do with restrictions for most people (BLUE), which should not apply to the tech-savvies (RED).
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Iptables / Iproute2 conditional forwarding based on destination IP