1

My question is very similar to Output traffic on different interfaces based on destination port. However, that question was asked in 2011. Now we have newer kernels that can have ip rules with tcp or udp selectors ("policy routing now has a leg in layer 4"): source - see comment on this answer.

I am new to routing, so I only know as much as I have read in the answers on unix.stackexchange.com. I got most of my solution ideas from Routing port traffic over specific interface.

I have two interfaces eth1 (10.0.0.182) and eth0 (192.168.1.2). My default route is for eth0. I want all http and https traffic to route through eth1 instead of the default route. Everything else can remain unchanged.

route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    202    0        0 eth0
0.0.0.0         10.0.0.1        0.0.0.0         UG    203    0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.0   U     203    0        0 eth1
192.168.1.2     0.0.0.0         255.255.255.0   U     202    0        0 eth0

The device at 10.0.0.1 is a Comcast modem that acts as a DHCP server, firewall, etc. The public IP address is a Comcast IP.

Here are the steps I think I need to do to get this to work using the newer ip rules features.

# add a new (secondary) table:
echo "200 comcast-route" >> /etc/iproute2/rt_tables

Populate secondary routing table


ip route add default via 10.0.0.1 dev eth1 table comcast-route


relax Strict Reverse Path Forwarding to Loose RPF


sysctl -w net.ipv4.conf.eth1.rp_filter=2
#NOTE: my system already has this value, so no change is needed


net.ipv4.conf.eth1.rp_filter = 2


specify alternate routes when using specific destination ports


iif lo below means "from local"


ip rule add iif lo ipproto tcp dport 80 lookup 80
ip rule add iif lo ipproto tcp dport 443 lookup 80

Does all that look correct? If it does not work, how do I revert those changes?

Finally, when all is working as expected, how do I make it persistent? I see an answer here, but I assume the suggestion of using /etc/rc.d/rc.local is out dated. Is there a better way to persist these rules?

MountainX
  • 17,948
  • 1
    lookup 80 should be changed to lookup 200 (or lookup comcast-route even if I don't understand why everybody absolutely wants to not use a number). – A.B Sep 13 '20 at 01:34
  • @A.B Thank you. I'll refrain from using a number and use lookup comcast-route as you suggest. – MountainX Sep 13 '20 at 19:45
  • I suggested the opposite heh: just using numbers. Anyway it doesn't matter as long as it's the correct value. – A.B Sep 13 '20 at 19:51
  • @A.B Thanks for clarifying. Sorry I misunderstood. I'll use numbers if that's considered best practice. Either way, thanks for pointing out the error. – MountainX Sep 13 '20 at 20:11

0 Answers0