Re: Alternate routing table and source IP address question.

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

bsilva a écrit :
> At my job, we use iptables commands to mark packets to use alternate
> routing tables.  Basically, we're using this to have two default gateways,
> some traffic types go out interface A to one gateway, other types of
> traffic go out interface B to a second gateway.
> 
> The issue is that by the time the packet gets to the routing table, the
> source IP address has already been set and we get the packets exiting
> interface B, but with the source IP address of interface A.

Indeed, this is a common issue.

> The only way we've found to correct this is to have the application that
> generates the traffic bind to the particular source IP address of the
> interface that it's eventually going to use.
> 
> Is there a better way to do it?

You can use SNAT or MASQUERADE, but IMO having the application bind to 
the desired source address is a cleaner way when applicable. NAT does 
not work well with all kinds of traffic. Besides, source-based routing 
is easier than mark-based routing, as it does not need iptables rules.

> I see this nice box on Jan Engelhardt's Packet Flow graph labeled "reroute
> check", but I don't see a way to invoke it.  I was hoping that adding a
> "src 123.123.123.2" parameter to the route statement would invoke reroute,
> but that doesn't seem to happen.  Or is the "reroute check" only used in
> NAT cases?

The reroute check just updates the routing decision due to an address 
translation or a mark set in the OUTPUT chains. The "src" option in a 
route is used only in the first routing decision before the OUTPUT 
chains, when the packet is created without a defined source address. A 
routing decision does not change the defined source address.