Iptables: how to force hosts to go out via a specific external IP?

T

TIEugene2012-12-16 16:01:35

linux

TIEugene, 2012-12-16 16:01:35

Let there be Linux-router.
Let there be 3 external IPs (eth0=EXT_IP0, eth0:1=EXT_IP1, eth0:2=EXT_IP2).
Let it have an internal eth1=192.168.0.1.
And let there be a certain 192.168.0.2 - a terminal server.
Task:
1. forward the terminal port from EXT_IP1 to the terminal server.
2. but that from the last outside traffic (new) left on EXT_IP2.

First part solved (CentOS6, /etc/sysconfig/iptables):
*nat
-A PREROUTING -i eth0 -d <EXT_IP1> -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389
*filter
- A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 192.168.0.2 --dport 3389 -j ACCEPT

Masquerade too:
-A POSTROUTING -o eth0 -j MASQUERADE

But everyone leaves, essno, through EXT_IP0.
And it is necessary - through EXT_IP2.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

P

polyakstar, 2012-12-16
@TIEugene

And another tip, if you know exactly the ip-address (fixed) on the external interface, then instead of -j MASQUERADE use -j SNAT

P

polyakstar, 2012-12-16
@polyakstar

create 2 routing tables
echo 101 wan101 >> /etc/iproute2/rt_tables
echo 102 wan102 >> /etc/iproute2/rt_tables
Mark outgoing traffic from the desired machine with appropriate labels in iptables:
iptables -t mangle -A PREROUTING -s 192.168.0.2 - j MARK --set-mark 102
iptables -t mangle -A PREROUTING #everything else# -j MARK --set-mark 101
Set both routing tables correctly:
ip route add $networkprovider via $externalIP dev eth0:2 table wan102
…
ip rule add fwmark 102 table wan102
And by analogy, set up a table for the rest of wan101

T

TIEugene, 2012-12-18
@TIEugene

The stone flower doesn't come out...
Why leave from another IP? Well, for example, if an anonymous proxy. So that the exit IP does not match the exit IP.