• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 285
  • Last Modified:

source routing with iptables

I've been looking at documentation on iptables and can't find anything on doing IP source routing.  I assume it would be done thru using the FORWARD chain of iptables.  My linux server is acting like a router.  I want to do something similar to policy based routing.  If the input IP is 1.2.3.4, then it is routed to tun1.  If the input is 2.3.4.5, then it is routed thru tun2.  Any other traffic (not from 1.2.3.4 and 2.3.4.5) is routed normally.  (Or instead of pointing/forwarding to the tun interrface, you could forward to the next hop IP address at the other end of the tunnels and get the same result.)
Can someone show me some iptables lines to do the trick.

I've done this on other networks with Cisco IOS Policy Based Routing, I want to do the same thing with my linux server/router.

Thanks in advance.
0
mrkent
Asked:
mrkent
  • 7
  • 4
1 Solution
 
PapertripCommented:
What you should probably use for this is iproute2 as opposed to iptables.  You can use iproute2 to create different routing tables based on all sorts of conditions, including source IP.  You may be able to do this with iptables, but iproute2 is probably the better choice.

I wish I had the time right now to write up some commands for you, but I do not.... hopefully someone else can assist.  I imagine there are plenty of docs out there for what you want to do, it's relatively common and most definitely possible.

Since you have a network background perhaps you can figure it out by researching iproute2 instead of trying it with just iptables.
0
 
mrkentAuthor Commented:
Thank you.  I will look into iproute2.  Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)  Do I have to get it  -yum or apt-get or ...?

Doing some initial research, I see it is definitely the way, not iptables.

Can anyone show me the sample lines to do the steps I listed above?
0
 
PapertripCommented:
Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)

Most definitely :)  If it's not already installed.... check /sbin/ip (primary command of package) or use your package manager to see if it's already installed.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
mrkentAuthor Commented:
OK, I'm almost there but I need more help.  In my research, all the examples seem to point to specific destinations for the different source IPs.  My case is a little different.  I want to take specific source IPs and redirect them to a different hop (actually thru a specific tunnel interfaces that I created) for ALL destinations.  So I would create a table for each source group that I want to redirect to a different tunnel:
echo 200 TUN1  >>  /etc/iproute2/rt_tables
and do a the rule for each:
ip rule add from 1.2.3.0/24 table TUN1
ip route default via tun1 table TUN1

Similarly for the second source IP it's
echo 201 TUN2 >> /etc/iproute2/rt_tables
ip ruilte add from 2.3.4.0/24 table TUN2
ip route default via tun2 table TUN2

I want all traffic from the 1.2.3.0/24 subnet to route thru tun1 and all traffic from the 2.3.4.0/24 subnet to route thru tun2.

And in my ifconfig I have the physical eth0, the the two tunnel interfaces tun1 and tun2 that I created.

Am I on the right track here?  Can you go over this and see if it is right?
0
 
PapertripCommented:
Looks pretty much correct except for a couple things.

'ip rule' typo in the 201 section
'ip route default' should be 'ip route add default'

I haven't set this up before, but what you have so far is definitely a great starting point at the very least... have you tested it?  Use 'ip route show' to help setup/troubleshoot.

I'm happy to look over any results you get, this is a learning experience for me too.
0
 
mrkentAuthor Commented:
Great.  I'll be trying this in next couple days.
0
 
mrkentAuthor Commented:
I didn't get a chance to try it yet.  Tomorrow for sure.
 
In the event that I don't create the tunnel interfaces, and instead of creating a route to the tunnel interface, I want to send that route to a next hop address, then what change to I make to this line?....
"ip route add default via tun1 table TUN1"

Do I change "via tun1" to "via 6.7.8.9"  if  6.7.8.9 is the next hop address for my desired traffic?
0
 
PapertripCommented:
Hi Mrkent,

Is this still an issue?
0
 
mrkentAuthor Commented:
Hi Papertrip-
Yes, it hasn't been resolved yet.  A couple other things came up that precedes this.  One of them is the RHEL package upgrade issue that you have so kindly helped me with.

I did have a lingering question on this one, and since I didn't try it yet I hadn't found the answer myself...
Instead of pointing to the tunnel interface with this command,
"ip route add default via tun1 table TUN1"
would it still work if I could point it to a next hop address instead as in this
"ip route add default via 6.7.8.9 table TUN1"
 (where 6.7.8.9 is a next hop address)?
0
 
mrkentAuthor Commented:
It works!  Oddly enough I answered my own question.  As it turns out with this server (CentOS 5.x) it did NOT accept "tun1" in the "ip route add default..." line.  It was expecting an IP address.  So I put in the IP address of the other end of this tunnel IP (virtual IP) and I was able to source route thru the tunnel.  That's because the tunnel IP served as a good next hop.
I imagine it wouldn't work as well if I used the public IP at the other end and inserted that in the "ip route add default..." line.
0
 
mrkentAuthor Commented:
Thank you.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now