Network GURU's ....
Environment RHEL 6.5 Server X86_64
I have a virtual Repo/svn box plugged into our primary network.
eth0 10.28.50.129
I also has 4 additional nics that plug into segregated VSwitch with unique ips to allow access to Instances of a server which may or may not be connected to the primary network.
eth1 10.28.50.131
eth2 10.28.50.132
eth3 10.28.50.133
eth4 10.28.50.134
I need to port forward http connections on 10.28.50.129 port 5080 via the eth2 card to 10.28.50.155 port 80
I need to port forward http connections on 10.28.50.129 port 6080 via the eth3 card to 10.28.50.155 port 80
the packets cannot go via the default route on eth0 nic as the Segregated VLAN that the target httpd server is in, may or may not at any given time be "attached" to the primary network.
From reading several other posts on the net... I know I need to use iptables to CONNMARK the connection and use iproute2 to drop the tagged packet on to the correct network.
What i have currently does not appear to work.. I have broken out wireshark to be able to debug this a bit better, but so far i have been banging my head against a wall trying to figure out what is going wrong.
I was hoping someone could help.
What i have so far:
my /etc/sysconfig/iptables
*mangle
:PREROUTING ACCEPT [1702:152640]
:INPUT ACCEPT [1092:89135]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [517:33940]
:POSTROUTING ACCEPT [517:33940]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 5080 -j CONNMARK --set-xmark 0xa
-A PREROUTING -i eth0 -p tcp -m tcp --dport 6080 -j CONNMARK --set-xmark 0xb
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10566:1406688]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -d 10.28.50.116/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [1698:188025]
:POSTROUTING ACCEPT [4:272]
:OUTPUT ACCEPT [2:168]
-A PREROUTING -p tcp -m tcp --dport 5080 -j DNAT --to-destination 10.28.50.116:80
-A PREROUTING -p tcp -m tcp --dport 6080 -j DNAT --to-destination 10.28.50.116:80
COMMIT
#
I also ran...
echo "201 eth2.out" >> /etc/iproute2/rt_tables
ip rule add fwmark 0xA table eth2.out
echo "201 eth3.out" >> /etc/iproute2/rt_tables
ip rule add fwmark 0xB table eth3.out
/sbin/ip route add default via 10.28.50.132 dev eth2 table eth2.out
/sbin/ip route add default via 10.28.50.133 dev eth3 table eth3.out
to setup the routing via the two nics
#What i expect is that regardless of the state of the Vswitch/VLAN (connected or disconnected) hitting the port on the repo box will give me a connection to the target ip/port.
Can anyone give me a hand or a pointer? thnx.
