0

I am trying to set up a Linux Server which was initially only supposed to be in one "server-subnet". However I am forced to use a proxy to access HTTP/HTTPS services in this subnet, which causes a lot of problems with my web applications, that need to access an API over HTTPS.

Fortunately the Server is connected to a second "client subnet", which offers unrestricted access to HTTP/HTTPS services. I configured both NICs and now I got the server subnet on eth0 and the client subnet on eth1.

I was reading up on similar issues and the closest I found was this: https://askubuntu.com/questions/104400/how-to-put-all-traffic-and-on-one-interface-and-some-traffic-on-another-interfac I followed the instructions and changed the ports and interfaces accordingly (eth0's gateway being the default gateway) :

iptables -t mangle -A OUTPUT -p tcp --dport 443 -o eth0 -j MARK --set-mark 1
ip rule add fwmark 1 table 1
ip route add 0.0.0.0/0 table 1 dev eth1

However this doesn't seem to work.

I was wondering whether it is actually possible, from a technical point of view, to even create certain routing rules, that allow to route local outgoing HTTP/HTTPS traffic over another subnet.

Community
  • 1
markusju
  • 111
  • 3
  • Yes, and you've described exactly how it's done. So what is happening? And what else is unusual about your server? – Michael Hampton Nov 02 '13 at 23:20
  • Well, I can't establish any http or https connection. They are all terminated with connection timeout. Interrstingly enough traceroute --fwmark=1 myhost.com uses eth1's gateway as its first hop. So I suppose there must be sth. wrong with my iptables entry. Besides that there isn't anything weird about the server, besides the fact it's running in MS HyperV. – markusju Nov 03 '13 at 00:07
  • It might be possible that the responses are filtered as the IP address your query is originating from still would be the one from the "server subnet". Try adding `src ` to the `ip route add` statement if this is the case. – the-wabbit Nov 03 '13 at 00:42
  • I got a little further. I was able to connect to a https server after trying `iptables -t mangle -A OUTPUT -p tcp --dport 443 -o eth0 -j MARK --set-mark 1` `ip rule add fwmark 1 table 1` `ip route add default table 1 via [gateway-client] src [client-ip]`. However I was only able to connect by using wget's `--bind-address` option. Is there a way to avoid this? – markusju Nov 03 '13 at 11:19

1 Answers1

1

I know this post is really old, but just recently I solved this problem using another approach which involves source policy routing: Can't ping multihomed Linux machine on non-default interface.

The host is connected to the two networks. The "client subnet" allows for access to external resources, however its clients cannot be accessed from outside the network. Clients on the "server subnet" can be accessed from outside the network, however they cannot access any resources outside their own network.

                  ---
                   |"Client Subnet"
 ------     eth0   | 3.3.0.10 
| Host |-----------
|      |-----------
 ------     eth1   |"Server Subnet"
                   | 123.123.0.10
                  ---

I set the gateway of the client subnet as the default gateway and configured the source policy routing as seen in the answer from the post above. The server then behaved as desired.

echo 13 eth1 >> /etc/iproute2/rt_tables
ip route add default via 123.123.0.1 table eth1
ip rule add from 123.123.0.10 lookup eth1
Community
  • 1
markusju
  • 111
  • 3
  • Can you please post actual commands you had used for created routing tables and specifying them in iptables rules. Your answer would be much more useful that way! – Anubioz Sep 05 '16 at 00:32