# policy based routing outbound traffic [SOLVED]

## ddio

I have a server, which has two possible gateways to the internet(one on eth0 and one on eth1).

Now I want to make the server reachable from both sides (at this moment only apache port 80 and 443), so I thought I use policy based routing for it.

The default routing table uses the gateway for eth0 (192.168.200.1).

The routing table 17 uses the gateway for eth1(192.168.100.151).

So I'll have to reach that if the server is connect on eth1 (192.168.100.250) he uses table17 so he sends the packet back to the correct gateway(192.168.100.151).

First I had some trouble with rp_filter(the packet simply disappeared), then with mangle->PREROUTING (from what I could determine, mangle->PREROUTING is only usable for incoming packets).

So I finally did use mangle->OUTPUT:

iptables -A OUTPUT -t mangle -s 192.168.100.250 -j MARK --set-mark 1

I can see the packet is marked:

iptables -A OUTPUT -t mangle  -s 192.168.100.250 -j LOG --log-prefix "pbr: "

[162618.940496] pbr: IN= OUT=eth0 SRC=192.168.100.250 DST=188.64.61.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=36929 WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x1

but as you can see the packet is outputted on the wrong interface (eth0 instead of eth1) but with the correct source ip.

heres the ip rule:

 # ip rule show

0:      from all lookup local

32765:  from all fwmark 0x1 iif eth1 lookup rottmann

32766:  from all lookup main

32767:  from all lookup default

heres the routing table 17:

 # ip route show table 17

default via 192.168.100.151 dev eth1  src 192.168.100.250

192.168.100.0/24 dev eth1  proto kernel  scope link  src 192.168.100.250

192.168.101.0/24 via 192.168.100.151 dev eth1

192.168.201.0/24 via 192.168.100.151 dev eth1Last edited by ddio on Wed Jun 24, 2015 12:15 pm; edited 1 time in total

----------

## ddio

writting it down seems to help, after trying so much stuff, I didn't notice that if I switch from PREROUTING to OUTPUT I have to adjust ip rule by deleting the iif part. Now it works.

----------

## ddio

 *ddio wrote:*   

> I have a server, which has two possible gateways to the internet(one on eth0 and one on eth1).
> 
> Now I want to make the server reachable from both sides (at this moment only apache port 80 and 443), so I thought I use policy based routing for it.
> 
> The default routing table uses the gateway for eth0 (192.168.200.1).
> ...

 

----------

