How to set a static route for an external IP address

Posted by HorusKol on Server Fault See other posts from Server Fault or by HorusKol
Published on 2012-09-21T01:18:33Z Indexed on 2012/09/21 3:39 UTC
Read the original article Hit count: 247

Filed under:
|
|
|

Further to my earlier question about bridging different subnets - I now need to route requests for one particular IP address differently to all other traffic.

I have the following routing in my iptables on our router:

# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (10.1.1.0/24)
# eth2 = private interface #2 (129.2.2.0/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the private interfaces
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT

# Allow the two private connections to talk to each other
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT

# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
iptables -A FORWARD -i eth0 -o eth2 -j REJECT

This configuration means that users will be forwarded through a modem/router with a public address - this is all well and good for most purposes, and in the main it doesn't matter that all computers are hidden behind the one public IP.

However, some users need to be able to access a proxy at 192.111.222.111:8080 - and the proxy needs to identify this traffic as coming through a gateway at 129.2.2.126 - it won't respond otherwise.

I tried adding a static route on our local gateway with:

route add -host 192.111.222.111 gw 129.2.2.126 dev eth2

I can successfully ping 192.111.222.111 from the router. When I trace the route, it lists the 129.2.2.126 gateway, but I just get * on each of the following hops (I think this makes sense since this is just a web-proxy and requires authentication).

When I try to ping this address from a host on the 129.2.2.0/25 network it fails.

Should I do this in the iptables chain instead? How would I configure this routing?

Network diagram

© Server Fault or respective owner

Related posts about networking

Related posts about iptables