Routing by port number

I have a setup to configure which has two DSL lines and a cable line
coming into an office with a private network behind the router. The
problem is that there are three connections which could be used as
default gateways, and traffic shaping is needed.

For various reasons it is desirable to have all outbound smtp
connections pass through one route, all http connections another, etc.
This will get connections through some firewalls on the other end, and
is particularly important for ssh.

The SNAT is easy, but after that forcing the route is less so. Clearly I
could have a route for each special case, but that doesn't scale. The
iproute2 doc talks aboit ipchains, iptables having been standard for
some years I bet there's a more recent doc, but I don't see it. The
iptables "MARK" target doesn't seem to work like the fwmark match, but I
may have something wrong with my test program.

If someone can point me to better doc, or give me a hint, much
appreciated. What I'm doing now is seriously wrong, and I want a general
and clean solution.

--
bill davidsen <(E-Mail Removed)>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979

This document describes packet marking and routing with iptables and
iproute2: http://lartc.org/howto/lartc.netfilter.html

--

wcardwell at nc dot rr dot com


"Bill Davidsen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I have a setup to configure which has two DSL lines and a cable line
> coming into an office with a private network behind the router. The
> problem is that there are three connections which could be used as
> default gateways, and traffic shaping is needed.
>
> For various reasons it is desirable to have all outbound smtp
> connections pass through one route, all http connections another, etc.
> This will get connections through some firewalls on the other end, and
> is particularly important for ssh.
>
> The SNAT is easy, but after that forcing the route is less so. Clearly I
> could have a route for each special case, but that doesn't scale. The
> iproute2 doc talks aboit ipchains, iptables having been standard for
> some years I bet there's a more recent doc, but I don't see it. The
> iptables "MARK" target doesn't seem to work like the fwmark match, but I
> may have something wrong with my test program.
>
> If someone can point me to better doc, or give me a hint, much
> appreciated. What I'm doing now is seriously wrong, and I want a general
> and clean solution.
>
> --
> bill davidsen <(E-Mail Removed)>
> CTO TMR Associates, Inc
> Doing interesting things with small computers since 1979
>

W Cardwell wrote:
> This document describes packet marking and routing with iptables and
> iproute2: http://lartc.org/howto/lartc.netfilter.html
>

Thanks for the pointer, I think I passed on it earlier because it seemed
light on "why am I doing this" info. I shall see what the conflict
between MARK and SNAT brings. Unfortunately the explanation post for
that has a dead URL. I hate doing things in the "do this magic" mode,
but I'll poke around and see how it works.

The worst that can happen is that I prematurely trigger the heat death
of the universe or something.

--
bill davidsen <(E-Mail Removed)>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979

W Cardwell wrote:
> This document describes packet marking and routing with iptables and
> iproute2: http://lartc.org/howto/lartc.netfilter.html
>

The document didn't provide a working config, but it did provide a hint
which resulted in a working config. I woulnd up putting the MARK in the
OUTPUT chain of the managle table, forcing the selected packets out of
the correct NIC to the desired gateway. I don't understand how or why
that works, but it does, very nicely.

Thank you again for the pointer, all it took was to MARK all the packets
with a source on the NIC (multiple aliases in the subnet) and not to
another IP in the same subnet, and then force the marked packets to go
out as desired.

That doesn't fit the flow of the packet from the program to the NIC as
explained in several "routing for dummies" type docs, but as long as it
works I'm happy. And more importantly I know how to do it again in
slightly different ways.

--
bill davidsen <(E-Mail Removed)>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979