mark and route traffic in a bridge

22/01/2007, 10h50

Hi all !!

I would to like to mark and route some kind of traffic (ie: outbound
www, now by simplicity)

---inet1--------eth0------------| |
| linux |
--eth1------- clientes
---inet2(90.0.0.1)--------eth2-| |

I have eth0 and eth1 bridged (eth2 is not bridged).

I would to route www outbound clients traffic through eth2.

This scheme works ?

I wrote this scripts:

a) add this line to /etc/iproute2/rt_tables

200 web

b) I assign ip to eth2:

/sbin/ifconfig eth2 90.0.0.2

c) Mark outbound www packets from clients:

/usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev
--physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2

d) I routing this marked packets

/sbin/ip rule add fwmark 2 table web

/sbin/ip route add default via 90.0.0.1 dev eth2 table web

e) Now I run iptraf listen eth2 but through eth2 is nothing of traffic.

What's a doing wrong ? How I can do it with a bridge ?

Thanks in advance for any hint and excuse my english.

roberto

--
Ing. Roberto Pereyra
ContenidosOnline
Looking for Linux Virtual Private Servers ? Click here:
http://www.spry.com/hosting-affiliat...d=426&a_bid=56

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

22/01/2007, 14h20

On Mon, Jan 22, 2007 at 07:42:26AM -0300, Roberto Pereyra wrote:
> Hi all !!
>
>
> I would to like to mark and route some kind of traffic (ie: outbound
> www, now by simplicity)
>
>
>
> ---inet1--------eth0------------| |
> | linux |
> --eth1------- clientes
> ---inet2(90.0.0.1)--------eth2-| |
>
>
> I have eth0 and eth1 bridged (eth2 is not bridged).
>
> I would to route www outbound clients traffic through eth2.
>
> This scheme works ?
>
Use shorewall. It does what you want and has exceptionally good
documentation.

Regards,

-Roberto

--
Roberto C. Sanchez
http://people.connexer.com/~roberto
http://www.connexer.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFtMaz1snWssAFC08RAghuAJ0UYaD6s8JZ9RHd45Dqfo VWwu5rgQCeMBIr
qc6hFvEmDI+L9rDCVOqjSXw=
=U2d8
-----END PGP SIGNATURE-----

22/01/2007, 10h50	#1
Roberto Pereyra Messages: n/a Hébergeur:	mark and route traffic in a bridge Hi all !! I would to like to mark and route some kind of traffic (ie: outbound www, now by simplicity) ---inet1--------eth0------------\| \| \| linux \| --eth1------- clientes ---inet2(90.0.0.1)--------eth2-\| \| I have eth0 and eth1 bridged (eth2 is not bridged). I would to route www outbound clients traffic through eth2. This scheme works ? I wrote this scripts: a) add this line to /etc/iproute2/rt_tables 200 web b) I assign ip to eth2: /sbin/ifconfig eth2 90.0.0.2 c) Mark outbound www packets from clients: /usr/local/sbin/iptables -A PREROUTING -t mangle -m physdev --physdev-in eth1 -p tcp --dport 80 -j MARK --set-mark 2 d) I routing this marked packets /sbin/ip rule add fwmark 2 table web /sbin/ip route add default via 90.0.0.1 dev eth2 table web e) Now I run iptraf listen eth2 but through eth2 is nothing of traffic. What's a doing wrong ? How I can do it with a bridge ? Thanks in advance for any hint and excuse my english. roberto -- Ing. Roberto Pereyra ContenidosOnline Looking for Linux Virtual Private Servers ? Click here: http://www.spry.com/hosting-affiliat...d=426&a_bid=56 -- To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

22/01/2007, 14h20	#2
Roberto C. Sanchez Messages: n/a Hébergeur:	Re: mark and route traffic in a bridge On Mon, Jan 22, 2007 at 07:42:26AM -0300, Roberto Pereyra wrote: > Hi all !! > > > I would to like to mark and route some kind of traffic (ie: outbound > www, now by simplicity) > > > > ---inet1--------eth0------------\| \| > \| linux \| > --eth1------- clientes > ---inet2(90.0.0.1)--------eth2-\| \| > > > I have eth0 and eth1 bridged (eth2 is not bridged). > > I would to route www outbound clients traffic through eth2. > > This scheme works ? > Use shorewall. It does what you want and has exceptionally good documentation. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFFtMaz1snWssAFC08RAghuAJ0UYaD6s8JZ9RHd45Dqfo VWwu5rgQCeMBIr qc6hFvEmDI+L9rDCVOqjSXw= =U2d8 -----END PGP SIGNATURE-----

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email