source routing with iptables

Posted on 2011-09-09
Last Modified: 2012-08-13
I've been looking at documentation on iptables and can't find anything on doing IP source routing.  I assume it would be done thru using the FORWARD chain of iptables.  My linux server is acting like a router.  I want to do something similar to policy based routing.  If the input IP is, then it is routed to tun1.  If the input is, then it is routed thru tun2.  Any other traffic (not from and is routed normally.  (Or instead of pointing/forwarding to the tun interrface, you could forward to the next hop IP address at the other end of the tunnels and get the same result.)
Can someone show me some iptables lines to do the trick.

I've done this on other networks with Cisco IOS Policy Based Routing, I want to do the same thing with my linux server/router.

Thanks in advance.
Question by:mrkent
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 21

Accepted Solution

Papertrip earned 400 total points
ID: 36514853
What you should probably use for this is iproute2 as opposed to iptables.  You can use iproute2 to create different routing tables based on all sorts of conditions, including source IP.  You may be able to do this with iptables, but iproute2 is probably the better choice.

I wish I had the time right now to write up some commands for you, but I do not.... hopefully someone else can assist.  I imagine there are plenty of docs out there for what you want to do, it's relatively common and most definitely possible.

Since you have a network background perhaps you can figure it out by researching iproute2 instead of trying it with just iptables.

Author Comment

ID: 36514975
Thank you.  I will look into iproute2.  Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)  Do I have to get it  -yum or apt-get or ...?

Doing some initial research, I see it is definitely the way, not iptables.

Can anyone show me the sample lines to do the steps I listed above?
LVL 21

Expert Comment

ID: 36514982
Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)

Most definitely :)  If it's not already installed.... check /sbin/ip (primary command of package) or use your package manager to see if it's already installed.
AWS Certified Solutions Architect - Associate

This course has been developed to provide you with the requisite knowledge to not only pass the AWS CSA certification exam but also gain the hands-on experience required to become a qualified AWS Solutions architect working in a real-world environment.


Author Comment

ID: 36520871
OK, I'm almost there but I need more help.  In my research, all the examples seem to point to specific destinations for the different source IPs.  My case is a little different.  I want to take specific source IPs and redirect them to a different hop (actually thru a specific tunnel interfaces that I created) for ALL destinations.  So I would create a table for each source group that I want to redirect to a different tunnel:
echo 200 TUN1  >>  /etc/iproute2/rt_tables
and do a the rule for each:
ip rule add from table TUN1
ip route default via tun1 table TUN1

Similarly for the second source IP it's
echo 201 TUN2 >> /etc/iproute2/rt_tables
ip ruilte add from table TUN2
ip route default via tun2 table TUN2

I want all traffic from the subnet to route thru tun1 and all traffic from the subnet to route thru tun2.

And in my ifconfig I have the physical eth0, the the two tunnel interfaces tun1 and tun2 that I created.

Am I on the right track here?  Can you go over this and see if it is right?
LVL 21

Expert Comment

ID: 36524747
Looks pretty much correct except for a couple things.

'ip rule' typo in the 201 section
'ip route default' should be 'ip route add default'

I haven't set this up before, but what you have so far is definitely a great starting point at the very least... have you tested it?  Use 'ip route show' to help setup/troubleshoot.

I'm happy to look over any results you get, this is a learning experience for me too.

Author Comment

ID: 36527468
Great.  I'll be trying this in next couple days.

Author Comment

ID: 36533051
I didn't get a chance to try it yet.  Tomorrow for sure.
In the event that I don't create the tunnel interfaces, and instead of creating a route to the tunnel interface, I want to send that route to a next hop address, then what change to I make to this line?....
"ip route add default via tun1 table TUN1"

Do I change "via tun1" to "via"  if is the next hop address for my desired traffic?
LVL 21

Expert Comment

ID: 36900846
Hi Mrkent,

Is this still an issue?

Author Comment

ID: 36901507
Hi Papertrip-
Yes, it hasn't been resolved yet.  A couple other things came up that precedes this.  One of them is the RHEL package upgrade issue that you have so kindly helped me with.

I did have a lingering question on this one, and since I didn't try it yet I hadn't found the answer myself...
Instead of pointing to the tunnel interface with this command,
"ip route add default via tun1 table TUN1"
would it still work if I could point it to a next hop address instead as in this
"ip route add default via table TUN1"
 (where is a next hop address)?

Author Comment

ID: 37507367
It works!  Oddly enough I answered my own question.  As it turns out with this server (CentOS 5.x) it did NOT accept "tun1" in the "ip route add default..." line.  It was expecting an IP address.  So I put in the IP address of the other end of this tunnel IP (virtual IP) and I was able to source route thru the tunnel.  That's because the tunnel IP served as a good next hop.
I imagine it wouldn't work as well if I used the public IP at the other end and inserted that in the "ip route add default..." line.

Author Closing Comment

ID: 37813935
Thank you.

Featured Post

Automating Terraform w Jenkins & AWS CodeCommit

How to configure Jenkins and CodeCommit to allow users to easily create and destroy infrastructure using Terraform code.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month6 days, 21 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question