# Send traffic from one application out a specific interface?

## Xamindar

I have a server set up with various services and it has two different internet links. One is through eth0 and the other is through eth1. 

eth0 is the default route.

I am trying to set up deluge to use ONLY the eth1 interface for all it's traffic but I can't seem to get it to work.

I tried following the howto here: http://linux-ip.net/html/adv-multi-internet.html

and just modifying it to my application but it isn't working.

Here is the firewall script I have set up on this machine. Trying to keep it simple right now and will expand it as I set everything up.

Again, I am trying to have everything go out eth0 EXCEPT deluge traffic in which I want to go out(and come back in) eth1. But I must be missing something.

```

#!/bin/bash

## Variables applying to the system

IPTABLES='/sbin/iptables'

### Modules needed, just add one per line.

MODULES="ip_tables 

    iptable_nat

    ip_nat_ftp

    ip_conntrack_ftp"

for i in $MODULES;

do 

 echo "Inserting module $i"

 modprobe $i

done

# Flush rules and delete chains

$IPTABLES -F

$IPTABLES -X

$IPTABLES -F -t nat

$IPTABLES -F -t mangle

# Set the default policies for the chains

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

### Set up the firewall rules

# Allow all connections established by me (because default is to drop)

$IPTABLES -t filter -A INPUT -i lo -j ACCEPT

# Allow anything from trusted lan1 to this box

$IPTABLES -t filter -A INPUT -i eth0 -j ACCEPT

# Allow anything from outside of lan2 in if connection is already established 

$IPTABLES -t filter -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

######################################################################

#########The following is for routing to specific interfaces##########

######################################################################

DTABLE=3

STABLE=main

MARK=3

#Create a second routing table with a new default gateway for the second interface (eth1)

ip route flush table $DTABLE

ip route show table $STABLE | grep -Ev '^default' \

  | while read ROUTE ; do

    ip route add table $DTABLE $ROUTE

done

IP1=192.168.1.70 #IP on eth1

P1=192.168.1.254 #Gateway on eth1

ip route add default via $P1 table $DTABLE

ip rule add from $IP1 table $DTABLE

ip rule add fwmark $MARK table $DTABLE

#Mark deluged torrent packets so they will be used by the new routing table

$IPTABLES -t mangle -A OUTPUT -m owner --uid-owner deluge -j MARK --set-mark $MARK

$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.70

#######################################################################

###############END INTERFACE ROUTING###################################

#######################################################################

```

I have it create a second routing table and then the iptables rules are supposed to mark it to go out using that routing table. But I must have something wrong here. It seems they go out but can't get back in.

```

~ # ip route show table 3

172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.3  metric 2

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.70  metric 2005

127.0.0.0/8 via 127.0.0.1 dev lo

default via 192.168.1.254 dev eth1

~ # ip route show table main

192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.70  metric 2005

172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.3  metric 2

127.0.0.0/8 via 127.0.0.1 dev lo

default via 172.16.0.1 dev eth0  metric 2

default via 192.168.1.254 dev eth1  metric 2005

```

```

~ # ip rule show

0:      from all lookup local

32764:  from all fwmark 0x3 lookup 3

32765:  from 192.168.1.70 lookup 3

32766:  from all lookup main

32767:  from all lookup default

```

With all this I'm not quite sure how it all fits together. Could someone help me out here? Thanks in advance.

----------

## Mad Merlin

It would be far more resource intensive and probably non-trivially less convenient, but conceptually simpler to run deluge in a VM and just bridge that VM to eth1 (only).

(In other words, I find iptables to be black magic, and though I'm sure it's doable using that approach, I'm not quite sure how.)

----------

## Hu

Have you confirmed with a network capture that the traffic successfully leaves eth1 and that responses are returned to eth1, where they are subsequently lost?

----------

## Xamindar

Dang, I had given up on this and just set the default gateway to eth1 and firewalled everything except deluged. But I just realized that for some reason that stops outside access coming into this server from eth0. I can access everything fine from the eth0 lan but if I try to access it by going through the NAT router which has certain ports forwarded to this server on eth0 it fails. Why in the world would it work on the lan but not from the outside if both lan and outside go to eth0? What is the difference? Nat on the router messing it up?

There has got to be a way to make certain services go out one interface and other services go out another. No one in the networking world has two internet (default gateways) connections that they need to set specific traffic to use? Hard to believe.

----------

