Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


source routing with iptables

Posted on 2011-09-09
Medium Priority
Last Modified: 2012-08-13
I've been looking at documentation on iptables and can't find anything on doing IP source routing.  I assume it would be done thru using the FORWARD chain of iptables.  My linux server is acting like a router.  I want to do something similar to policy based routing.  If the input IP is, then it is routed to tun1.  If the input is, then it is routed thru tun2.  Any other traffic (not from and is routed normally.  (Or instead of pointing/forwarding to the tun interrface, you could forward to the next hop IP address at the other end of the tunnels and get the same result.)
Can someone show me some iptables lines to do the trick.

I've done this on other networks with Cisco IOS Policy Based Routing, I want to do the same thing with my linux server/router.

Thanks in advance.
Question by:mrkent
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 21

Accepted Solution

Papertrip earned 1600 total points
ID: 36514853
What you should probably use for this is iproute2 as opposed to iptables.  You can use iproute2 to create different routing tables based on all sorts of conditions, including source IP.  You may be able to do this with iptables, but iproute2 is probably the better choice.

I wish I had the time right now to write up some commands for you, but I do not.... hopefully someone else can assist.  I imagine there are plenty of docs out there for what you want to do, it's relatively common and most definitely possible.

Since you have a network background perhaps you can figure it out by researching iproute2 instead of trying it with just iptables.

Author Comment

ID: 36514975
Thank you.  I will look into iproute2.  Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)  Do I have to get it  -yum or apt-get or ...?

Doing some initial research, I see it is definitely the way, not iptables.

Can anyone show me the sample lines to do the steps I listed above?
LVL 21

Expert Comment

ID: 36514982
Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)

Most definitely :)  If it's not already installed.... check /sbin/ip (primary command of package) or use your package manager to see if it's already installed.
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf


Author Comment

ID: 36520871
OK, I'm almost there but I need more help.  In my research, all the examples seem to point to specific destinations for the different source IPs.  My case is a little different.  I want to take specific source IPs and redirect them to a different hop (actually thru a specific tunnel interfaces that I created) for ALL destinations.  So I would create a table for each source group that I want to redirect to a different tunnel:
echo 200 TUN1  >>  /etc/iproute2/rt_tables
and do a the rule for each:
ip rule add from table TUN1
ip route default via tun1 table TUN1

Similarly for the second source IP it's
echo 201 TUN2 >> /etc/iproute2/rt_tables
ip ruilte add from table TUN2
ip route default via tun2 table TUN2

I want all traffic from the subnet to route thru tun1 and all traffic from the subnet to route thru tun2.

And in my ifconfig I have the physical eth0, the the two tunnel interfaces tun1 and tun2 that I created.

Am I on the right track here?  Can you go over this and see if it is right?
LVL 21

Expert Comment

ID: 36524747
Looks pretty much correct except for a couple things.

'ip rule' typo in the 201 section
'ip route default' should be 'ip route add default'

I haven't set this up before, but what you have so far is definitely a great starting point at the very least... have you tested it?  Use 'ip route show' to help setup/troubleshoot.

I'm happy to look over any results you get, this is a learning experience for me too.

Author Comment

ID: 36527468
Great.  I'll be trying this in next couple days.

Author Comment

ID: 36533051
I didn't get a chance to try it yet.  Tomorrow for sure.
In the event that I don't create the tunnel interfaces, and instead of creating a route to the tunnel interface, I want to send that route to a next hop address, then what change to I make to this line?....
"ip route add default via tun1 table TUN1"

Do I change "via tun1" to "via"  if is the next hop address for my desired traffic?
LVL 21

Expert Comment

ID: 36900846
Hi Mrkent,

Is this still an issue?

Author Comment

ID: 36901507
Hi Papertrip-
Yes, it hasn't been resolved yet.  A couple other things came up that precedes this.  One of them is the RHEL package upgrade issue that you have so kindly helped me with.

I did have a lingering question on this one, and since I didn't try it yet I hadn't found the answer myself...
Instead of pointing to the tunnel interface with this command,
"ip route add default via tun1 table TUN1"
would it still work if I could point it to a next hop address instead as in this
"ip route add default via table TUN1"
 (where is a next hop address)?

Author Comment

ID: 37507367
It works!  Oddly enough I answered my own question.  As it turns out with this server (CentOS 5.x) it did NOT accept "tun1" in the "ip route add default..." line.  It was expecting an IP address.  So I put in the IP address of the other end of this tunnel IP (virtual IP) and I was able to source route thru the tunnel.  That's because the tunnel IP served as a good next hop.
I imagine it wouldn't work as well if I used the public IP at the other end and inserted that in the "ip route add default..." line.

Author Closing Comment

ID: 37813935
Thank you.

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question