Results 1 to 2 of 2
  1. #1
    Mar 2013

    Routing by port number

    I wasn't sure if to post here or in the Linux forums. I'm living in China which means while I have 10Mbs fibre connection to my apartment it is useless for http and httpd traffic. I pay for a VPN service that solves the problem by restoring the ability to access censored web sites such as Google. The problem is I don't want to send all my Internet traffic thru the VPN for several reasons. I run a CentOS 6 server as my gateway. On it I have:
    eth0 - An Internet facing fibre with a static IP address.
    eth1 - An internal facing LAN connecton on the traditional private range 192.168.1.x with the server at
    ppp0 - The PPTP VPN connection on the Internet with a different static IP address.

    What I want is for all port 53, 80 and 443 traffic to go out to the Internet via the ppp0 interface and everything else via eth0. With Linux's powerful networking features you would think this would be easy, but after months of trying it is seeming increasingly difficult to the point I wondering if I should be looking at other OSes.

    In order of increasing complexity (I like the KISS principle of problem solving):
    1. I looked iptables but there is no rule, I could find, that say for destination port use a specific gateway or interface.

    2. I looked at Squid on the gateway server but Squid can not be bound to a specific interface for external traffic.

    3. Now it get complicated. I shutdown the ppp0 interface and squid on the gateway server. I built a second CentOS 6 server as a proxy server on the LAN at with the ppp0 VPN on it as it's default gateway. It has the gateway server as it's route only to the VPN end point. On this second server I run Squid. This set up works well with Firefox and Chrome when they are manually set up to use it and it handles the http and httpd traffic well. However other apps, such as package managers etc still use the non-VPN'd interface. Also setting up proxies on older mobile devices is a pain.

    4. To support all devices I attempted to set up transparent proxy on the gateway with the iptable rules:
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination
    This works well for http traffic but not https which fails.

    5. To simplify the https proxing (since I really only want routing) I installed tinyproxy on the proxy server at port 3130 and changes the gateway server iptable rules to:
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
    -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination
    Again this works fine for manually configured browsers, but the https traffic fails, with a different error of 'ssl_error_rx_record_too_long'.

    This post is already quite long so I wont fill it will config files now, but can post them as requested where someone has a suggestion of what path to try next. I really can't believe this should be this difficult but I find I am running out of ideas and would welcome some suggestions of what to try. I have read the "Linux Firewall (iptables) Tutorial" thread which is very well written but doesn't go deep enough to help me.


  2. #2
    Mar 2010

    Re: Routing by port number

    This is prob beyond me, so no flaming

    I'm thinking with the SSL RX Record error that the SSL is not correctly configured. Try to see if you can telnet into port 443.

    I would also check and make sure SSL is not sharing the same port with another cert.

    good luck! if i think of anything else ill post it

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts