Monthly Archives: February 2011

Route NNTP traffic via specific ISP with iptables

Posted on by
1

I use a newsgroup provider for exchanging content with the Usenet newsgroup. My newsgroup provider restricts connections to be originating from the same IP for a specific account. I have a machine in my network that is always on and therefore perfectly suited to be serving as a download machine. The problem however is that this machine is providing other services (shell, webserver, mail) via the slower, but more stable ISP connection with a static IP. My preference is to keep it connected this way for obvious reasons.

I can use ISP1′ connection for downloading via the newsgroup, bu the newsgroup provider does not allow traffic to its servers from more then one IP. If violated this results in the following message:

1
Failed login for server [482 You are already connected from a different host]

Besides I also use the ISP with the fast connection to download from the newsgroups, and when using both ISPs at the same time it causes the above ‘failed login’ message.

Network diagram with multiple gateways

My situation summed up:

  • Server running Ubuntu 10.04 LTS running my favorite newsgroup download tool SABNZBD
  • Two ISP’s on my local network.
    ISP1: slow but stable connection with static IP
    ISP2: fast, but less reliable connection with dynamic IP
  • Server connected to the Internet via ISP1 (default gateway)
  • Both gateways are on the same local network (192.168.2.0/24)

The solution
I want traffic that is using 119 as destination port to be routed via ISP2, while other traffic should be routed via ISP1, which is the default gateway for the server. To accomplish this, I created a script that allows you to redirect specific traffic to a specific port to be redirected via a different gateway then the default gateway:

1
2
3
4
5
6
7
8
9
10
11
#!/bin/sh
ISP2_GATEWAY=192.168.2.253
PORT_TO_REDIRECT=119

#Create a table
ip route del table webtraffic
ip route add default table webtraffic via $ISP2_GATEWAY
ip rule add fwmark 1 table webtraffic

#Redirect all traffic outgoing to the specified port to be routed via the above specified gateway
iptables -t mangle -A OUTPUT -p tcp -m tcp --dport $PORT_TO_REDIRECT -j MARK --set-mark 1

Just adapt this script to your needs and execute it on the server machine.

This solution can be used for other ports and other kinds of traffic as well that is going outward from your local unix machine, for example secure nntp traffic via port 563.

References
These sources have inspired me to find this solution:

Hope this helps anyone.