PBR (Policy Base Routing) on Linux

I think that Cisco and YAMAHA routers can use policy-based routing using filters. I would like to do it on Linux as well.

Policy-based routing is a routing method that is completed within the host, unlike normal routing. Use a specific route table for a specific operation. It's like that. (Difficult to explain ...) For example ...

• If you want to access a specific port in a multi-homed environment, you want to change the gateway.
• In a multi-homed environment, I want to access the incoming I / F with the same I / F when responding. etc. .. ..

Kimo is a multi-homed environment.

Example) I want to change the gateway when accessing a specific port

What kind of situation can be considered? ・ Normally, I use the A line, but I want to use the B line for http access.

The environment this time is -Suppose that the host has three external lines (192.168.0.2, 192.168.1.2, 192.168.2.2) and the gateway (192.168.0.1, 192.168.1.1, 192.168.2.1) is ahead of them. -Http access of 12.34.56.78 from the host is from gateway A. The https access of 12.34.56.78 is from gateway B. 12.34.56.78 ssh access from gateway C. I want to access each one.

What Linux features are needed to make this happen?

• iproute2
• iptables Will be.

Use iptables to mark packets destined for a particular port (iptables), and use the specified routing table for marked packets (iproute2).

1. Mark iptables

Use the iptables mangle table to mark packets.

# iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 1 ← Mark "1" for packets going out toward tcp 80
# iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 2 ← Mark "2" for packets going out toward tcp 443
# iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 3 ← Mark "3" for packets going out toward tcp 22

2. Add a rule to iproute2

Specify rules for marked packets.

# ip rule add fwmark 1 table 10 ← Refer to "table 10" for packets marked with "1"
# ip rule add fwmark 2 table 20 ← Refer to "table 20" for packets marked with "2"
# ip rule add fwmark 3 table 30 ← Refer to "table 30" for packets marked with "3"

Furthermore, since there are multiple interfaces addressed to the gateway, specify the return packet as well.

# ip rule add from 192.168.0.2 table 10 ← Refer to "table 10" for packets entering "192.168.0.2"
# ip rule add from 192.168.1.2 table 20 ← Refer to "table 20" for packets entering "192.168.1.2"
# ip rule add from 192.168.2.2 table 30 ← Refer to "table 30" for packets entering "192.168.2.2"

3. Add a route to iproute2

Create a root table to be referenced.

# ip route add default dev eth1 via 192.168.0.1 table 10 ← The default gateway of "table10" is 192.168.0.1 ahead of eth1.
# ip route add default dev eth2 via 192.168.1.1 table 20 ← The default gateway of "table20" is 192.168.1.1 ahead of eth2.
# ip route add default dev eth3 via 192.168.2.1 table 30 ← The default gateway of "table30" is 192.168.2.1 ahead of eth3.

It is better to add a local link to each table, so let's deal with it as appropriate. How to write a local link

 ip route show table main

Please refer to and apply the default unexpected!

It looks like this with one liner

#  ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table "table name" $ROUTE; done

This completes the settings. Let's actually verify it. If all is well, you may want to add /etc/rc.local or something to your startup script.