Hello! The company has a hardware router that works with 2 Internet service providers. From it requests are sent to the linux-machine. Is it possible to make it so that if the request on port 443 comes through the first ISP, on the linux machine it would redirect to one port, and if it comes to the same port 443 through the second ISP, it would redirect to another port on linux- car? The hardware router does not allow this, and in linux destination IP the same one, it seems, is obtained for packets after the hardware router, so it is not clear which field to use to do the redirect rule. The problem is that after the hardware router on the side of the linux router, apparently, it is impossible to understand through which provider the packet went. Because the router replaces the destination ip (external ip of the router) with a local ip linux machine.

That is, in the logs after the command:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j LOG --log-prefix "iptables"

We see in the dst field not some external (of two) address of the router, but the local address 192.168.... linux-machine to which the packet arrived. So, there is not 1 router on the way of a packet from the Internet, but two. The first is hardware (tplink), with it the packets go to the second, which runs on linux. This second uses only one network card (eth0) and one subnet. And you need to configure this second one based on the rule, which is based on the definition of the channel where the request came from.

It is clear that the first router can be removed and everything can be done on linux, but the task is exactly as described.

  • one
    Support for this is needed on the first router that received the request from outside. If it is hardware, then look again at its capabilities; perhaps it can be done by means of something not quite standard. Later you don’t distinguish the packages anyway - Mike
  • What is the hardware router model? - Alex78191
  • TL-R480T + rev 5.1. The support service tplink said that at the level of this router this can not be done. Only if you purchase a similar TL-R480T + with firmware versions 7.8 or 9. Therefore, so far, we have previously decided to do everything on linux, excluding the hardware router. Many thanks to all for the help! - Artem

1 answer 1

If you forward ports on an external router to the https server on linux and want to distinguish the source of the traffic, you can make a second ip on the server and forward the traffic not to different ports but to different addresses. Then everything that came to ip1:443(isp1) will have to be sent to the internal ip_in_1:443 , and everything that came to ip2:443(isp2) sent to the second server address ip_in_2:443 .

Although it will become impossible if the server program can not have settings for different interfaces.

  • What is the server program? Maybe tplink router? - Alex78191