Apart from the default route, you can also configure additional routes.
For example, your server you might have 2 interfaces (eth0 and eth1). By default, all the traffic is routed through interface eth0 irrespective of what IP address you have configured on eth1.
To route the incoming and outgoing traffic through eth1, other than the default route (eth0), you also need to add additional routes for eth1 .
In this tutorial, let us use the following example:
- eth0 has been configured with IP address 220.127.116.11 with netmask 255.255.255.0 and default gateway of 18.104.22.168
- eth1 has been configured with IP address 22.214.171.124 with netmask 255.255.255.0 and it’s gateway IP address is 126.96.36.199
You can view your current ip-address of your interface cards using ifconfig command as shown below.
# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:50:56:8E:0B:EC inet addr:188.8.131.52 Bcast:184.108.40.206 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3735 errors:0 dropped:0 overruns:0 frame:0 TX packets:336 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:295679 (288.7 Kb) TX bytes:50312 (49.1 Kb) eth1 Link encap:Ethernet HWaddr 00:50:56:8E:27:0D inet addr:220.127.116.11 Bcast:18.104.22.168 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:840 (840.0 b) TX bytes:0 (0.0 b)
Also, the netstat command output indicates that the default gateway is pointing to eth0,
# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 22.214.171.124 0.0.0.0 UG 0 0 0 eth0 126.96.36.199 0.0.0.0 255.255.255.0 U 0 0 0 eth1 188.8.131.52 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
With the above settings, you may be able to ping both the gateways and communicate with other devices without any issues. But, remember that all the traffic is routed through eth0 by default.
When you ping the IP address 184.108.40.206 from outside your network you may notice that it will not be pingable.
In order to implement this, you need a create a new policy in the routing table. The routing table is located at /etc/iproute2/rt_tables. The initial rule file before configuration may look like the one shown below.
# cat /etc/iproute2/rt_tables # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep #
To view all the current rules, use the ip command as shown below:
# ip rule show 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
First, take a backup of the rt_Tables before making any changes.
cd /etc/iproute2 cp rt_tables rt_tables.orig
Next, create a new policy routing table entry in /etc/iproute2/rt_tables file:
echo "1 admin" >> /etc/iproute2/rt_tables
Now add the routing entries in the admin table.
ip route add 220.127.116.11/24 dev eth1 src 18.104.22.168 table admin ip route add default via 22.214.171.124 dev eth1 table admin
In the above example:
- In the first ip command, we are adding subnet 126.96.36.199 with a netmask 255.255.255.0 with the source IP address 188.8.131.52 & device eth1 to the admin table.
- In the second ip command, we are adding the route 184.108.40.206 to the admin table. This way all the rules defined in admin table routes traffic through device eth1.
Once the above commands are executed successfully, you need to instruct the OS how to use this table.
In the “ip rule show” you may noticed the line “32766: from all lookup main”. This is the line that instructs the OS to route all the traffic defined in “main” table which is the default gateway.
All the rules are executed in the ascending order. So, we will add rule entries above the “main” table.
ip rule add from 220.127.116.11/24 table admin ip rule add to 18.104.22.168/24 table admin ip route flush cache
In the above example:
- The first command adds the rule that all the traffic going to eth1’s IP needs to use the “admin” routing table instead of “main” one.
- The second command adds the rule that all the outgoing traffic from eth1’s IP needs to use the “admin” routing table instead of “main” one.
- The third command is used to commit all these changes in the previous commands
Finally, verify that your changes are made appropriately using the following command:
# ip rule show 0: from all lookup local 32764: from all to 22.214.171.124/24 lookup admin 32765: from 126.96.36.199/24 lookup admin 32766: from all lookup main 32767: from all lookup default
At this point, you should be able to ping the IP address 188.8.131.52 from the outside network and view all the traffic that is supposed to be using eth1 is working as expected.
To make these changes persistent across reboot, you can add these commands to /etc/init.d/boot.local (for SUSE Linux), or /etc/rc.d/rc.local (for Redhat, CentOS).
If you want to configure one more IP address on a different subnet, repeat all of the above steps, but use a different table name. Instead of “admin” table, use “admin-new” table.
Comments on this entry are closed.
Thanks a lot for very nice and useful article
you had taken eth0 and eth1 interface example, How its going to work with wlan0 interface? can we apply same concept here???
Can you show the rt_tables in it’s final state? I am getting “Database /etc/iproute2/rt_tables is corrupted at ip route add” after modifying the file when I run “ip rule show”.
I am not sure it this will work for what I am trying to do. I have a virtual interface (virbr0) which I am trying to expose.
Love your tips!
Thanks for the article. Is it possible to accept the traffic to specified network interface from particular source IP/network?
Hi. I managed to achieve a different routing gateway over a second NIC for a different subnet. So thanks first of all for your valuable advice.
I’m curious of another adventure.
If my server has only TWO NICs with ETH0 running on a private IP (192.168.0.10/32 with default gateway 192.168.0.1. No problem here.
And I achieved setting up a second default gateway over ETH1 using your guide for a second PUBLIC subnet. No problem here.
Is it possible to add a virtual interface to ETH1? Such as ETH1:0, ETH1:2, ETH1:2?
My aim as follows:
1. To have the server managed through a private IP from the LAN
2. To host multiple domain names/public IPs using Postfix and Dovecot. Each with its own public IP but note the public IPs are NOT from the same range so each of the 4 public IP address would have its own default gateway.
Note: A vendor has the FW setup in such a way that allows/recognizes/routes all so there will be no issues related to the FW or routers.
Its the limitation that my server can only add ONE additional NIC (ETH1). I would consider a quad port add-on NIC but if what I need can be acheived on a development system to test Postfix and Dovecot and server performance then I’ll have an easier time getting support from my boss to invest in a near USD1000.00 NIC with 4 ports.
Why not to just edit the file “/etc/sysctl.conf”:
edit net.ipv4.conf.default.rp_filter = 2
add net.ipv4.conf.all.rp_filter = 2
Thanks a lot!
Great article! You save my day!
While I was configuring this in a bunch of servers I was thinking: Why do not implement this on the eth0?
To make this settings permanent in Centos/RedHat just add the commands in route-eth1 and rule-eth1 files in /etc/sysconfig/network-scripts/