Blog

Debian – Policy Routing – iptables mark port and protocol

                                                                                         ________
                                                                  +------------+        /
                                                      192.168.1.1 |            |       |
                                                 +----------------+ Provider 1 +-------
mark port 10,21,22,80,443,25,110.143,3389        | eth0           |            |     /
    ___/  \           mark protocol icmp  +------+----------+     +------------+    |
  _/        \ mark network 172.16.10.0/24 |   192.168.1.2   |                       /
 /             \         172.16.10.1 eth1 |                 |                       |
| Local network --------------------------+  Linux router   |                       |     Internet
 \           __/        172.16.2.1 eth1:0 |                 |                       |
   \__     __/                            | default gateway |                       \
      \___/                               +------+----------+     +------------+    |
                                                 | eth2           |            |     \
                                                 +----------------+ Provider 2 +-------
                                                                  |            |       |
                                                                  +------------+        \________

Първо трябва да добавим таблица например с номер 200 и име T1 в /etc/iproute2/rt_tables

255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
201 T1

След което следва самата конфигурация

ip route add 127.0.0.0/8 dev lo table T1
ip route add 192.168.1.0/30 dev eth0 src 192.168.1.2 table T1
ip route add 172.16.10.0/24 dev eth1 src 172.16.10.1 table T1
ip route add default via 192.168.1.1 table T1

iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 80 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 443 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 20 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 21 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 22 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 25 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 110 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 143 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p tcp --dport 3389 -j MARK --set-mark 102
iptables -A PREROUTING -s 172.16.10.0/24 -t mangle -p icmp -j MARK --set-mark 102
ip rule add fwmark 102 table T1
Tags: , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.