source routing with iptables

Posted on 2011-09-09
Last Modified: 2012-08-13
I've been looking at documentation on iptables and can't find anything on doing IP source routing.  I assume it would be done thru using the FORWARD chain of iptables.  My linux server is acting like a router.  I want to do something similar to policy based routing.  If the input IP is, then it is routed to tun1.  If the input is, then it is routed thru tun2.  Any other traffic (not from and is routed normally.  (Or instead of pointing/forwarding to the tun interrface, you could forward to the next hop IP address at the other end of the tunnels and get the same result.)
Can someone show me some iptables lines to do the trick.

I've done this on other networks with Cisco IOS Policy Based Routing, I want to do the same thing with my linux server/router.

Thanks in advance.
Question by:mrkent
  • 7
  • 4
LVL 21

Accepted Solution

Papertrip earned 400 total points
ID: 36514853
What you should probably use for this is iproute2 as opposed to iptables.  You can use iproute2 to create different routing tables based on all sorts of conditions, including source IP.  You may be able to do this with iptables, but iproute2 is probably the better choice.

I wish I had the time right now to write up some commands for you, but I do not.... hopefully someone else can assist.  I imagine there are plenty of docs out there for what you want to do, it's relatively common and most definitely possible.

Since you have a network background perhaps you can figure it out by researching iproute2 instead of trying it with just iptables.

Author Comment

ID: 36514975
Thank you.  I will look into iproute2.  Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)  Do I have to get it  -yum or apt-get or ...?

Doing some initial research, I see it is definitely the way, not iptables.

Can anyone show me the sample lines to do the steps I listed above?
LVL 21

Expert Comment

ID: 36514982
Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)

Most definitely :)  If it's not already installed.... check /sbin/ip (primary command of package) or use your package manager to see if it's already installed.

Author Comment

ID: 36520871
OK, I'm almost there but I need more help.  In my research, all the examples seem to point to specific destinations for the different source IPs.  My case is a little different.  I want to take specific source IPs and redirect them to a different hop (actually thru a specific tunnel interfaces that I created) for ALL destinations.  So I would create a table for each source group that I want to redirect to a different tunnel:
echo 200 TUN1  >>  /etc/iproute2/rt_tables
and do a the rule for each:
ip rule add from table TUN1
ip route default via tun1 table TUN1

Similarly for the second source IP it's
echo 201 TUN2 >> /etc/iproute2/rt_tables
ip ruilte add from table TUN2
ip route default via tun2 table TUN2

I want all traffic from the subnet to route thru tun1 and all traffic from the subnet to route thru tun2.

And in my ifconfig I have the physical eth0, the the two tunnel interfaces tun1 and tun2 that I created.

Am I on the right track here?  Can you go over this and see if it is right?
LVL 21

Expert Comment

ID: 36524747
Looks pretty much correct except for a couple things.

'ip rule' typo in the 201 section
'ip route default' should be 'ip route add default'

I haven't set this up before, but what you have so far is definitely a great starting point at the very least... have you tested it?  Use 'ip route show' to help setup/troubleshoot.

I'm happy to look over any results you get, this is a learning experience for me too.
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.


Author Comment

ID: 36527468
Great.  I'll be trying this in next couple days.

Author Comment

ID: 36533051
I didn't get a chance to try it yet.  Tomorrow for sure.
In the event that I don't create the tunnel interfaces, and instead of creating a route to the tunnel interface, I want to send that route to a next hop address, then what change to I make to this line?....
"ip route add default via tun1 table TUN1"

Do I change "via tun1" to "via"  if is the next hop address for my desired traffic?
LVL 21

Expert Comment

ID: 36900846
Hi Mrkent,

Is this still an issue?

Author Comment

ID: 36901507
Hi Papertrip-
Yes, it hasn't been resolved yet.  A couple other things came up that precedes this.  One of them is the RHEL package upgrade issue that you have so kindly helped me with.

I did have a lingering question on this one, and since I didn't try it yet I hadn't found the answer myself...
Instead of pointing to the tunnel interface with this command,
"ip route add default via tun1 table TUN1"
would it still work if I could point it to a next hop address instead as in this
"ip route add default via table TUN1"
 (where is a next hop address)?

Author Comment

ID: 37507367
It works!  Oddly enough I answered my own question.  As it turns out with this server (CentOS 5.x) it did NOT accept "tun1" in the "ip route add default..." line.  It was expecting an IP address.  So I put in the IP address of the other end of this tunnel IP (virtual IP) and I was able to source route thru the tunnel.  That's because the tunnel IP served as a good next hop.
I imagine it wouldn't work as well if I used the public IP at the other end and inserted that in the "ip route add default..." line.

Author Closing Comment

ID: 37813935
Thank you.

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now