Sometimes, you may want some services (i.e. web) to be routed through a different interface. Here is a quick setup with some common problems.
Assumptions:
- 10.4.0.1 – your additional gateway, through which you only want to route web traffic (TCP port 80),
- 10.4.0.2 – server which needs source port routing altered,
- tun0 – device on 10.4.0.2 which will be used for source port routing.
Now, we’re ready to start configuration:
- first, add a new routing table to /etc/iproute2/rt_tables – we’ll call it “http” and it will be table “1” – with it, your /etc/iproute2/rt_tables file should look much like below:
- assuming the peer through which you want to push http traffic is behind tun0 interface and has 10.4.0.1 address, we have to manipulate routing with the two rules below:
Basically, they mean that “http” table traffic need to go through tun0, 10.4.0.1, and packets marked with “1” value should get there.
- we also need to mark the packets – we’ll use iptables for that:
This means that in the mangle table, locally-generated packets with 10.4.0.2 source which would by default go through eth0, will be marked with “1” value.
Still doesn’t work? Check these things below:
- rp_filter has to be set to 0 for given interfaces – 0 is the default value set by the Linux kernel, but some distributions (i.e. Ubuntu, Mandriva) alter it and set it to 1; just adding that to /etc/sysctl.conf should do the trick to make sure this value is set to 0 after reboot:
If you’re not rebooting any time soon, see what these value currently are with:
- there has to be direct, not routed traffic between the hosts – for example, if you have more than one hop, source port routing will not work:
It has to look like below:
- not sure what you have to change on your new gateway (10.4.0.1 in this example)? The below should be enough:
- note that web traffic should also come from 10.4.0.1
