Biederony 12-07-2012 09:48 AM

Routing from src IP to new interface
Hi guys,

Im trying to route from a specific src IP address
to a new network interface, but its not working :(

First, I tried to use iptables commands, my first thought was like this:
iptables -t nat -A PREROUTING 1 -i eth0 -s <src> -d <dst> -j DNAT --to <interface>

but that command is not available, I just can give IP addresses after the --to argument.
Furthermore, I think iptables is too 'high-level' for this task (?).

I tried to use ip route commands, but that seems to be too low-level and used to route between interfaces etc..

But I have to route dependent on a src IP address to an interface.
Can anyone give me a hint and tell me how to solve this problem?

Thank you!

eantoranz 12-07-2012 12:58 PM

I think the problem is not clear at all.

For starters, what are your network interfaces? What are the ip addresses and what is routing like?


ip link show
ip addr show
ip route show

Then.... what would you like to achieve?

eantoranz 12-07-2012 01:04 PM

Anyways.... perhaps you could try with routing based on source/dest addresses. I think it's possible using routing tables plus rules.

It goes something like:


ip rule add to x.x.x.x table some_table
ip route add default via y.y.y.y table some_table

some_table can be a number (I think) or the name of a table predefined in /etc/iproute2/rt_tables.

Biederony 12-08-2012 04:55 AM

1 Attachment(s)
Hi! Thank you for your reply!

I will try to explain the problem a bit more in detail:

I have two virtual machines running on a xen hypervisor.
The Xen hypervisor is in routing mode, that means it has two IP addresses for the frontend network and for the backend network.
First, there was a single VM having the IP address and running behing the hypervisor in the back end network.

ip route shows: dev vif1.0 scope link src dev vif1.0 proto kernel scope link src

(so that means on the hypervisor layer, the VM has the network interface vif1.0)

Now the interessting part starts: I made a live clone of this VM which results in a second VM running
on the same hypervisor and having the same IP address but another virtual interface: dev vif1.0 scope link src dev vif1.0 proto kernel scope link src dev vif2.0 scope link src dev vif2.0 proto kernel scope link src

Now I want to route to the original-VM or to the cloned-VM dependent on the IP source address.
For example, Bob should be routed to the original-VM as normal and Alice should be routed to the cloned-VM while both communicating with the same destination IP address.
That means I can only route dependent on the interface and not on the target IP address (what my current problem is)

I attached a little illustration of the setup.. (its for research)
I know that there are some other problems considering network traffic,
and that I have to block certain replies, but acutally this is the main problem :-)

Thank you very much!

eantoranz 12-08-2012 09:10 AM

Why are there two routing items with the same network? Are they created that way by xen? To my not-bound-by-xen network knowledge, it feels like it's not gonna hold water. That sounds like you should bridge the virtual network interfaces and place the IP address ( on the bridge instead, am I wrong?

Code: dev vif1.0 proto kernel scope link src dev vif2.0 proto kernel scope link src

Biederony 12-09-2012 11:22 AM

Yes they are created by Xen running in routing mode.
You can run Xen in brdiging mode (which is more easy),
but we need Xen in routing mode for this project.

Do you know how I could solve the problem?
How can I route from a src IP address to a target VM through a specific interface?

Thank you!

eantoranz 12-09-2012 11:30 AM

Don't know the difference between both modes I can only see the routing problem as seen in your routing tables.

You have two interfaces with overlapping network segments. The IP addresses set for those two interfaces is the same on the host? Can you remove the IP address from those interfaces (on the host), bridge them and set the IP address on the bridge? You could, of course set the exact dst address to get in touch with a certain VM. Routing will use the best matching rule so if you set a rule to reach one single IP address it won't hesitate to use it instead of the defined /24.


ip route add ipaddressvm1 dev devvm1 src myip
ip route add ipaddressvm2 dev devvm2 src myip

That should do. Perhaps using two different network segments? Anyway, hope it helps.

