IPTables : Source IP based Gateway Route

vaibhavs · 11-06-2008, 08:53 AM

Hi,

I have an FC9 server as a gateway server with Squid + Dansguardian.
I have 10 Desktop PCs & 2 ISPs.
I want 5 PCs to access the net via ISP-1 & other 5 PCs via ISP-2.

I believe this can be done via IPTables.

I do not understand much of IPTables.
I seek help from forum members who can give me the rules which will help me route desktop traffic based on the IP address of the Desktops PCS.

I need rule like:
Source IP = 192.168.1.11 -> Gateway = 192.168.1.1
Source IP = 192.168.1.12 -> Gateway = 192.168.1.1
Source IP = 192.168.1.13 -> Gateway = 192.168.1.2
etc

Thank you in advance.

regards,
Vai

estabroo · 11-06-2008, 11:00 AM

To do this you need to use the iproute2 programs.

Set up a table for each different gateway in /etc/iproute2/rt_tables
example rt_tables:

Code:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
10      gw1
11      gw2

Then you need to add a default route to each table:
ip route add default via 192.168.1.1 table gw1
ip route add default via 192.168.1.2 table gw2

Then you need to do routing rules like:
ip rule add from 192.168.1.11 table gw1
ip rule add from 192.168.1.12 table gw1
ip rule add from 192.168.1.13 table gw2

You should make sure to have an overall default route added via normal route command or interface setup. It's needed because the default route added to a table only apply to packets routed through that table.

nkd · 11-06-2008, 12:34 PM

that is only going to take care of a static situation....what if one of your internet link goes down

The corresponding hosts are all going to remain disconnected !

Maybe you should consider failover mechanism and write a script to use iptables to mark packets and then do routing as per that. Within the script keep checking both the interfaces regularly, say every 10 secs or so and if any internet interface goes down route the packets from it's src ip hosts through the other internet gw.

nishith

estabroo · 11-06-2008, 12:58 PM

Its actually a pretty flexible solution because to reroute all the traffic from one gateway to the other you only need to change the default route for the table that needs to be moved, you don't have to redo all the individual rules.

nkd · 11-06-2008, 01:36 PM

right ... but you got to do that manually or would you recommend a script to do that ?

estabroo · 11-06-2008, 01:40 PM

A script or a daemon would be fine, I'm guessing that for this particular instance it doesn't matter, that the routes both go out the same internet connection, one just happens to be filtered through the squid+dan's guardian and the other isn't.

vaibhavs · 11-06-2008, 11:20 PM

Thx for all the inputs and suggestions.
I need to split the users over 2 ISP for Load Balancing.
If all user move thru single ISP, the b/w per user is low and the other ISP is idle.

I will ceate a PHP script which will route users thru the other gateway when the original ISP is down.
A simple browser based script which will execute IPTables command.
I am more of a PHP guy, little knowledge of Shell Scripts or IPTables.

I would really appreciate if someone can help me with the IPTables part.

I have 1 ethernet only. So the IP packets have to be tagged as to which gateway to use based on their source address.
All help is deeply appreciated!

Thx
Vai

vaibhavs · 11-10-2008, 12:36 PM

Hi,

Can anyone do this setup for me on paid basis.
I need this setup on my server.

Thx
Vai