Policy based routing on Linux

[dulem]

Hi Guys,
I'm trying to configure a Linux RH 7.3 server to act as router for policy based routing.
Here is my problem.
This server have to help me during IP migration. I'm in proces of moving IPs from one ISP to other and I want to keep all IPs (old and new) for a short time until DNS propagation is not finished.
I have from both ISPs ethetnet cable suplied and now they are connected to same switch.
Both providers allow only their IPs traffic.
I have on servers multiple IPs (old and new) and these servers are accessible only on one IP.
I'm trying to configure one Linux server to act as default gateway and depends on source IP to forward packets to providers. This server have one NIC with addresses in both ranges.

It should be very simply according iproute2 documentation but....

Here is extrat from server:

[root@rh73 net]# ip rule ls
0: from all lookup local
32765: from x.x.x.x/24 lookup Test
32766: from all lookup main
32767: from all lookup 253
[root@rh73 net]# ip route list table Test
default via x.x.x.254 dev eth0 proto static

[root@rh73 net]# ip route list
x.x.x.0/24 dev eth0 proto kernel scope link src x.x.x.73
y.y.y.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via y.y.y.y dev eth0

x.x.x.x is new IP range
y.y.y.y is old IP range

Any suggestion.

Dule

 

[ericbrunson]

I think you're going to run into a problem. It sounds like you've plumbed the different IPs on a single interface. It that's true, then the source IP of the response packet will not necessarily be the same as the address the packet came into.

You would probably be better off making the router masquerade the packets to the server and give the server a private IP until you're ready to drop the old addresses.

 

[dulem]

Yes, this interface have two different IPs.
I guess that this should work very simply. It's just needed to redirect packets to one of two routers depends on source IP and nothing more.
Unfortunatelly I don't have any spare cisco router on site.
Dule

 

[ericbrunson]

You're missing my point. The web server behind the router, whether the router is a cisco or not, has multiple IP addresses bound to a single network interface. Correct?

If that's not correct, then this entire post is invalid, but if that is the case the consider this.

http://www:eth0

has ip addresses a and b bound to it. A packet comes in from ISP A, it gets routed to the ip address a. When the web server replies, it is not guaranteed that the response will originate from ip address a, the kernel may decide to source it from ip address b.

I know this for a fact because I had a similar problem with a customers mail server.

Now, if it is not important to you that the response may take an asymetric route back to the client, then you can continue down this path. The Linux Advanced Routing HOWTO I believe covers policy based routing.

But if this is going to be a problem for you, then you should probably examine an alternative solution, such as NATting the web server. If you NAT the server, then the router will track the connection by source ip, source port, destination ip and destination port. In this manner you will be guaranteed that the response will be routed over the same ISP that the request came from.

Does that make more sense?

 

[dulem]

Hi,
It is not important for me that response take asymetric route. NAT is not alternative solution for other reasons (can be separate topic).
Anyway I'm not able to run policy-based routig with a single NIC. Basically this is rather packet redirection depends on source IP then routing.
I'm wondering is this possible on Linux.
I've configured this couple times with cisco routers without problems.
Thanks

 

[ericbrunson]

If the asymetric route is not a problem, then it should be doable. Are you using iproute2?

ftp://ftp.inr.ac.ru/ip-routing but packages are available for most distros.