# routing policy based on src port

## paziu

Hello,

I am able to specify the gateway based on the source IP.

```
IF1="br0:1"

IF2="br0:2"

IPIF1="192.168.1.111"

IPIF2="192.168.2.111"

RTIF1="192.168.1.1"

RTIF2="192.168.2.1"

# new interfaces UP!

ifconfig "$IF1" "$IPIF1"/24 up

ifconfig "$IF2" "$IPIF2"/24 up

# rt policy for 01

ip rule add from "$IPIF1" table 01

ip route add default via "$RTIF1" dev "$IF1" table 01

# rt policy for 02

ip rule add from "$IPIF2" table 02

ip route add default via "$RTIF2" dev "$IF2" table 02
```

Is it possible to specify the gateway based on the src tcp/udp port?

( 'ip' does not seem to be able to do it )

it would be something like:

ip rule add from "$SRC_PORT" table 03

Thanks,

Mike

----------

## papahuhn

You can do it with netfilter packet MARK in the mangle table. You will also need to set a corresponding fwmark rule with ip.

----------

## paziu

Thanks papahuhn! I will start looking into nf/ip.

----------

## paziu

the idea about src port was not that good - I was under impression that after bouncing off a local proxy its listening port will also become the src port ( only partially right, not enough )

I still looked in the nf and iproute2... assigning MARKs and rules was successful, for dst port:

```
ip route add default via 192.168.1.1 dev br0:1 table tbl1

ip rule add from 192.168.1.0/24 table tbl1

iptables -A OUTPUT -t mangle -p tcp --dport 555 -j MARK --set-mark 1

ip rule add from all fwmark 1 table tbl1
```

This will also apply for any service listening on br0:1 or any incoming connection that its source is 192.168.1/24

all this is to utilize multi-wan test setup using also local proxies/port tunnels (3proxy-tcppm) ( for a single destination & multilink ), at this moment my routing table looks like this:

```
netstat -rn | wc -l

63242
```

divided into blocks of 64k hosts ( excluding reserved ) between 5 WANs - so one system on lan can utilize all 5 WANs - a script outputs the following:

.

.

route add -net 22.100.0.0/16 gw 10.0.0.1

route add -net 22.101.0.0/16 gw 10.0.0.198

route add -net 22.102.0.0/16 gw 192.168.1.1

route add -net 22.103.0.0/16 gw 192.168.2.1

route add -net 22.104.0.0/16 gw 10.0.0.9

.

.

this "approach" seems to be quite "reliable" ( read: testing environment ), I was afraid not to be able to login to secure/SSL web sites, especially because the source IP might change during the "session" ( destination  change while using ie. online banking ) - so far I have not found a problem with this

I know this is a bit off the topic, but I wanted to share these details and see what your comments might be...

Thanks again papahuhn  for the idea about looking into MARK

ps: inserting the 63000+ routes takes 20 sec on an i5 box..

----------

## papahuhn

63000 routes on commodity hardware, neat.  :Smile: 

----------

