Blocking traffic

i have three nics in my router
eth0 - wan1 10.16.61.241
eth1 - wan2 172.16.62.3
eth2 - lan 192.168.1.1

i want all traffic to go out eth0 except traffic to my.website.edu
i only want traffic to my.website.edu to go out eth1
i am wondering how i would set up the commands for this using iptables

"w.kinderman" <(E-Mail Removed)> wrote in
news:(E-Mail Removed) oups.com:

> i have three nics in my router
> eth0 - wan1 10.16.61.241
> eth1 - wan2 172.16.62.3
> eth2 - lan 192.168.1.1
>
> i want all traffic to go out eth0 except traffic to my.website.edu
> i only want traffic to my.website.edu to go out eth1
> i am wondering how i would set up the commands for this using iptables
>

How/why did you decide that iptable is the correct way to accomplish what
you described?

Do you realize that 10/8 & 192.168/16 addresses are not valid on the 'Net
and are "internal" IP#s?

Which NIC will allow you to surf www.ebay.com?

It almost appears you have a solution in search of a problem.

w.kinderman wrote:
> i have three nics in my router
> eth0 - wan1 10.16.61.241
> eth1 - wan2 172.16.62.3
> eth2 - lan 192.168.1.1
>
> i want all traffic to go out eth0 except traffic to my.website.edu
> i only want traffic to my.website.edu to go out eth1
> i am wondering how i would set up the commands for this using iptables
>

You do not need iptables here. Just route the IP address(es) to
the favourite website via eth1 and default via eth0.

Is it intentional that all your addresses are private RFC 1918
addresses?

--

Tauno Voipio
tauno voipio (at) iki fi

I am aware of all of this. I wanted to set up iptables so that no other
traffic besides what I want to go out eth1. The only traffic I want to
go out eth1 is to my.website.edu, the rest of the traffic I want to go
out eth0. Eth2 is used for the lan (dhcp,nat, and such). Here is a link
to the way that the network is setup
http://home.comcast.net/~fugzi/setup.jpg. We have a problem with all
the load balancing and one website that people use. The web designers
will only let 1 range of ips log onto their servers and all but one of
our connections it from the same company.

I am aware of all of this. I wanted to set up iptables so that no other
traffic besides what I want to go out eth1. The only traffic I want to
go out eth1 is to my.website.edu, the rest of the traffic I want to go
out eth0. Eth2 is used for the lan (dhcp,nat, and such). Here is a link
to the way that the network is setup
http://home.comcast.net/~fugzi/setup.jpg. We have a problem with all
the load balancing and one website that people use. The web designers
will only let 1 range of ips log onto their servers and all but one of
our connections it from the same company.

I am aware of all of this. I wanted to set up iptables so that no other
traffic besides what I want to go out eth1. The only traffic I want to
go out eth1 is to my.website.edu, the rest of the traffic I want to go
out eth0. Eth2 is used for the lan (dhcp,nat, and such). Here is a link
to the way that the network is setup
http://home.comcast.net/~fugzi/setup.jpg. We have a problem with all
the load balancing and one website that people use. The web designers
will only let 1 range of ips log onto their servers and all but one of
our connections it from the same company.

w.kinderman wrote:
> I am aware of all of this. I wanted to set up iptables so that no other
> traffic besides what I want to go out eth1. The only traffic I want to
> go out eth1 is to my.website.edu, the rest of the traffic I want to go
> out eth0. Eth2 is used for the lan (dhcp,nat, and such). Here is a link
> to the way that the network is setup
> http://home.comcast.net/~fugzi/setup.jpg. We have a problem with all
> the load balancing and one website that people use. The web designers
> will only let 1 range of ips log onto their servers and all but one of
> our connections it from the same company.
>

One reply would have been sufficient (instead of three).

Why is the routing table setup not suited for your purpose?

AFAIK, it will do just what you told you want: transfer
the website packets (and only them) via eth1.

--

Tauno Voipio
tauno voipio (at) iki fi

Sorry about the three replies, I had a connection problem. I have the
routing table set up so all traffic will go out eth1 to my.website.com
but sometimes the traffic still goes out eth0. Here is my routing
table. Maybe i am doing something wrong.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
my.website.com 172.16.62.1 255.255.255.255 UGH 0 0 0 eth1
172.16.62.0 * 255.255.255.248 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
10.16.60.0 * 255.255.254.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 172.16.62.1 0.0.0.0 UG 0 0 0 eth1
default 10.16.60.1 0.0.0.0 UG 0 0 0 eth0

In article <(E-Mail Removed) .com>,
w.kinderman wrote:

>Here is my routing table. Maybe i am doing something wrong.

Yes

>Kernel IP routing table
>Destination Gateway Genmask Flags Metric Ref Use Iface
>my.website.com 172.16.62.1 255.255.255.255 UGH 0 0 0 eth1

OK - this is saying that your 'my.website.com' is on some other network,
and can be reached by sending the packets to 172.16.62.1 who will then
forward them. Does 172.16.62.1 know how to reach "my.website.com"? Does
"my.website.com" know to use the other interface of 172.16.62.1 to send
packets back to here? Does 172.16.62.1 know to send packets here for the
192.x and 10.16.x networks?

>192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
>10.16.60.0 * 255.255.254.0 U 0 0 0 eth0
>loopback localhost 255.0.0.0 UG 0 0 0 lo

OK

>default 172.16.62.1 0.0.0.0 UG 0 0 0 eth1
>default 10.16.60.1 0.0.0.0 UG 0 0 0 eth0

Here's another problem. A 'default' means that if nothing else works,
use this. But which 'this'? You can't have two defaults. In Linux,
most networking setups interpret a default as meaning "the route to
the world". If you can't reach the world using the declared default,
then it should be the default. When the kernel sees this, it uses the
_last_ one set, and ignores others. Methinks you want to spend some time
reading the Linux Network Administrator's Guide (the second edition is
available from O'Reilly as ISBN 1-56592-400-2 for US$40 is you need
the dead tree version, or get it online from http://tldp.org/guides.html
you want the 'nag2').

Old guy

Moe Trin wrote:
> In article <(E-Mail Removed) .com>,
> w.kinderman wrote:
>
>
>>Here is my routing table. Maybe i am doing something wrong.
>
>
> Yes
>
>
>>Kernel IP routing table
>>Destination Gateway Genmask Flags Metric Ref Use Iface
>>my.website.com 172.16.62.1 255.255.255.255 UGH 0 0 0 eth1
>
>
> OK - this is saying that your 'my.website.com' is on some other network,
> and can be reached by sending the packets to 172.16.62.1 who will then
> forward them. Does 172.16.62.1 know how to reach "my.website.com"? Does
> "my.website.com" know to use the other interface of 172.16.62.1 to send
> packets back to here? Does 172.16.62.1 know to send packets here for the
> 192.x and 10.16.x networks?
>
>
>>192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
>>10.16.60.0 * 255.255.254.0 U 0 0 0 eth0
>>loopback localhost 255.0.0.0 UG 0 0 0 lo
>
>
> OK
>
>
>>default 172.16.62.1 0.0.0.0 UG 0 0 0 eth1
>>default 10.16.60.1 0.0.0.0 UG 0 0 0 eth0
>
>
> Here's another problem. A 'default' means that if nothing else works,
> use this. But which 'this'? You can't have two defaults. In Linux,
> most networking setups interpret a default as meaning "the route to
> the world". If you can't reach the world using the declared default,
> then it should be the default. When the kernel sees this, it uses the
> _last_ one set, and ignores others. Methinks you want to spend some time
> reading the Linux Network Administrator's Guide (the second edition is
> available from O'Reilly as ISBN 1-56592-400-2 for US$40 is you need
> the dead tree version, or get it online from http://tldp.org/guides.html
> you want the 'nag2').
>
> Old guy
>

Agreed.

Delete the default route via eth1.

--

Tauno Voipio
tauno voipio (at) iki fi