Networking – Only Allow Certain Outbound Traffic on Specific Interfaces

iptablesnetworking

I have rather an odd issue. I have a server with two network interfaces eth0 and eth1. Each are connected to a different network. Each network has a internet gateway. The server has various outbound connections: http (some scripts on the server scrape websites), nfs client, samba client, dns client and an email fetcher to name but a few.

For reasons I won't go into, I need to split these outbound clients up so outbound http, nfs, samba and dns traffic is only requested over eth0 while everything else goes off through eth1.

I've read around a few Google searches and it looks like iptables is what I'll need but I really haven't got a clue. I'm only used to managing inbound firewall rules through ufw.

Could somebody start me off with a few example rules and tell me how to get the system to adopt these rules on boot? Ideally without locking me out of my SSH connection (I can get physical access, but I'd rather not).

Edit I can split the clients over two users if it's possible to limit all outbound traffic from an account to one interface. on paper that seems like it might be easier.

Best Answer

I would setup a separate routing table and a policy to route marked packets using that table and have iptables/netfilter mark certain packets.

Create a table: echo 1 known >> /etc/iproute2/rt_tables

Create a routing rule (the ip command is from iproute2): ip rule add from all fwmark 1 table known

We created a table called "known" and created a routing rule that says any packet with a mark equal to 1 gets routed according to the "known" table. I only called it known because it's for the list of known protocols - you can name it whatever you want. Now we setup the known table to route the proper way.

ip route add default dev eth0 table known

Create iptables rules:

iptables -t mangle -I PREROUTING -p tcp --dport 111 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -p tcp --dport 2049 -j MARK --set-mark 1

The example marks packets on the NFS ports (111, 2049) with a 1. We are adding this rule to the 'mangle' iptable. This is different from the routing tables and is not changeable; the mangle table is specifically for altering packets in any way other than NAT.

Now, to route everything else through the other interface, we add a route to the standard routing table.

ip route add default dev eth1

To really understand this, read sections 4 and 11 of the LARTC howto.

Related Solutions

Linux – Ubuntu Linux Router: Set outbound NAT on 2 interfaces

The problem lies in getting a response from the client LAN I think, and so yes you need to use NAT to the client-LAN as well.

Let me explain:

Nodes on your LAN have your gateway as their default gateway.

Thus any traffic from them, be it to the client network (10.0.0.0/8) or the wider world (0.0.0.0/8) goes to it.

Traffic to the wider world is then NAT'd onto the Internet.

Traffic to the client's LAN is forwarded as is (I'm assuming here forwarding is working which the NAT working indicates it is).

So a packet from a node on your internal LAN, let us say it's IP is 192.168.1.200 goes to your gateway and is forward to the client LAN. However it's source address is still 192.168.1.200.

The client machine receives this and tried to reply, to 192.168.1.200.

Unless the client LAN machines have routes set for 192.168.1.0/24, or their default gateway is able to forward the packets to your gateway, they will not be able to route.

With NAT enabled then at the gateway the source address 192.168.1.200 is NAT'd to your client LAN gateway address, which client LAN nodes can respond to, where it will be re-addressed by your gateway and returned.

Ubuntu – Configure multiple interfaces with different hostnames using DHCP and DNS

I'm not 100% sure if what you want is possible purely by setting options in /etc/network/interfaces.

In theory, it's possible by editing /etc/dhcp/dhclient.conf. Try adding a stanza like:

interface "eth0" {
    send host-name "host0";
}

interface "eth1" {
    send host-name "host1";
}

Make sure any other host-name options in that file are commented out and remove the hostname you specified in /etc/network/interfaces.

Best Answer

Related Solutions

Linux – Ubuntu Linux Router: Set outbound NAT on 2 interfaces

Ubuntu – Configure multiple interfaces with different hostnames using DHCP and DNS

Related Question