How to set a static route for an external IP address
Posted
by
HorusKol
on Server Fault
See other posts from Server Fault
or by HorusKol
Published on 2012-09-21T01:18:33Z
Indexed on
2012/09/21
3:39 UTC
Read the original article
Hit count: 247
Further to my earlier question about bridging different subnets - I now need to route requests for one particular IP address differently to all other traffic.
I have the following routing in my iptables on our router:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (10.1.1.0/24)
# eth2 = private interface #2 (129.2.2.0/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interfaces
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
# Allow the two private connections to talk to each other
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
iptables -A FORWARD -i eth0 -o eth2 -j REJECT
This configuration means that users will be forwarded through a modem/router with a public address - this is all well and good for most purposes, and in the main it doesn't matter that all computers are hidden behind the one public IP.
However, some users need to be able to access a proxy at 192.111.222.111:8080 - and the proxy needs to identify this traffic as coming through a gateway at 129.2.2.126 - it won't respond otherwise.
I tried adding a static route on our local gateway with:
route add -host 192.111.222.111 gw 129.2.2.126 dev eth2
I can successfully ping 192.111.222.111 from the router. When I trace the route, it lists the 129.2.2.126 gateway, but I just get * on each of the following hops (I think this makes sense since this is just a web-proxy and requires authentication).
When I try to ping this address from a host on the 129.2.2.0/25 network it fails.
Should I do this in the iptables chain instead? How would I configure this routing?
© Server Fault or respective owner