source routing with iptables

Posted on 2011-09-09
Last Modified: 2012-08-13
I've been looking at documentation on iptables and can't find anything on doing IP source routing.  I assume it would be done thru using the FORWARD chain of iptables.  My linux server is acting like a router.  I want to do something similar to policy based routing.  If the input IP is, then it is routed to tun1.  If the input is, then it is routed thru tun2.  Any other traffic (not from and is routed normally.  (Or instead of pointing/forwarding to the tun interrface, you could forward to the next hop IP address at the other end of the tunnels and get the same result.)
Can someone show me some iptables lines to do the trick.

I've done this on other networks with Cisco IOS Policy Based Routing, I want to do the same thing with my linux server/router.

Thanks in advance.
Question by:mrkent
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
LVL 21

Accepted Solution

Papertrip earned 400 total points
ID: 36514853
What you should probably use for this is iproute2 as opposed to iptables.  You can use iproute2 to create different routing tables based on all sorts of conditions, including source IP.  You may be able to do this with iptables, but iproute2 is probably the better choice.

I wish I had the time right now to write up some commands for you, but I do not.... hopefully someone else can assist.  I imagine there are plenty of docs out there for what you want to do, it's relatively common and most definitely possible.

Since you have a network background perhaps you can figure it out by researching iproute2 instead of trying it with just iptables.

Author Comment

ID: 36514975
Thank you.  I will look into iproute2.  Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)  Do I have to get it  -yum or apt-get or ...?

Doing some initial research, I see it is definitely the way, not iptables.

Can anyone show me the sample lines to do the steps I listed above?
LVL 21

Expert Comment

ID: 36514982
Is it available in most distibutions? (RHEL, ubuntu, CentOS, debian)

Most definitely :)  If it's not already installed.... check /sbin/ip (primary command of package) or use your package manager to see if it's already installed.
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.


Author Comment

ID: 36520871
OK, I'm almost there but I need more help.  In my research, all the examples seem to point to specific destinations for the different source IPs.  My case is a little different.  I want to take specific source IPs and redirect them to a different hop (actually thru a specific tunnel interfaces that I created) for ALL destinations.  So I would create a table for each source group that I want to redirect to a different tunnel:
echo 200 TUN1  >>  /etc/iproute2/rt_tables
and do a the rule for each:
ip rule add from table TUN1
ip route default via tun1 table TUN1

Similarly for the second source IP it's
echo 201 TUN2 >> /etc/iproute2/rt_tables
ip ruilte add from table TUN2
ip route default via tun2 table TUN2

I want all traffic from the subnet to route thru tun1 and all traffic from the subnet to route thru tun2.

And in my ifconfig I have the physical eth0, the the two tunnel interfaces tun1 and tun2 that I created.

Am I on the right track here?  Can you go over this and see if it is right?
LVL 21

Expert Comment

ID: 36524747
Looks pretty much correct except for a couple things.

'ip rule' typo in the 201 section
'ip route default' should be 'ip route add default'

I haven't set this up before, but what you have so far is definitely a great starting point at the very least... have you tested it?  Use 'ip route show' to help setup/troubleshoot.

I'm happy to look over any results you get, this is a learning experience for me too.

Author Comment

ID: 36527468
Great.  I'll be trying this in next couple days.

Author Comment

ID: 36533051
I didn't get a chance to try it yet.  Tomorrow for sure.
In the event that I don't create the tunnel interfaces, and instead of creating a route to the tunnel interface, I want to send that route to a next hop address, then what change to I make to this line?....
"ip route add default via tun1 table TUN1"

Do I change "via tun1" to "via"  if is the next hop address for my desired traffic?
LVL 21

Expert Comment

ID: 36900846
Hi Mrkent,

Is this still an issue?

Author Comment

ID: 36901507
Hi Papertrip-
Yes, it hasn't been resolved yet.  A couple other things came up that precedes this.  One of them is the RHEL package upgrade issue that you have so kindly helped me with.

I did have a lingering question on this one, and since I didn't try it yet I hadn't found the answer myself...
Instead of pointing to the tunnel interface with this command,
"ip route add default via tun1 table TUN1"
would it still work if I could point it to a next hop address instead as in this
"ip route add default via table TUN1"
 (where is a next hop address)?

Author Comment

ID: 37507367
It works!  Oddly enough I answered my own question.  As it turns out with this server (CentOS 5.x) it did NOT accept "tun1" in the "ip route add default..." line.  It was expecting an IP address.  So I put in the IP address of the other end of this tunnel IP (virtual IP) and I was able to source route thru the tunnel.  That's because the tunnel IP served as a good next hop.
I imagine it wouldn't work as well if I used the public IP at the other end and inserted that in the "ip route add default..." line.

Author Closing Comment

ID: 37813935
Thank you.

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question