Linux Policy Base Routing

Linux Policy Base Routing

What happened in the first place?

When building EC2 on AWS, packets may not reach EC2 with multiple NICs in the following situations, so this is a memorandum. As a configuration, the EC2 instance has multiple NICs, each belonging to a different subnet.

Screen Shot 2020-03-12 at 18.20.43.png

(Quoted from the figure)

The routing table (main) has the following situation. The default GW is a router on the subnet (

[root@ip-10-0-1-5 etc]# ip route show table main dev eth0  proto kernel  scope link  src dev eth1  proto kernel  scope link  src 
default via dev eth0 

In this situation, I tried to ping the NIC (eth1) from the NW belonging to, but there is no return packet. As a result of investigating why, PING has arrived at the EC2, but when returning the return packet, it is sending a packet from the default GW of the EC2, and as a result it does not reach the source. It was a thing.

For the same communication, communication in which the receiving NIC and the returning NIC are different is called asymmetric routing. In Linux, from some version, the following kernel parameters are set to drop packets if the NIC that communicates back is different from the received NIC. This setting is enabled at the packet destination, and only the return communication is filtered.

Return route filter

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

There is a way to disable the above, but it is a security setting for the entire OS to prevent IP spoofing. In order to avoid this, there is also a function called Policy Base Routing, so implement it.

Policy Base Routing

The standard routing table routes packets to a specific router or default gateway by looking at the destination address. On the other hand, Policy Base Routing (PBR) is a function that determines the routing by looking at the source IP address and TCP / UDP port. Also, prioritize PBR as a rule over normal routing.

Therefore, in this case, it can be concluded that the PBR should be set so that packets with a source IP address of as a reference will be skipped to (Although it is the source IP address mentioned here, it refers to the part of the return packet of PING. As you can see by tcpdump, the return packet is 10.0.2.x ==> 10.0.1.x.)

--Since this is the current rule, set the priority to a smaller value than "32766: from all lookup main". The lower the priority, the higher the priority rule

[root@ip-10-0-1-5 etc]# ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

--Create route table rules for PBR


ip route flush table 2000
ip route add table 2000 to dev eth1
ip route add table 2000 to default via dev eth1
ip rule add from table 2000 priority 200


cat << EOF > /etc/sysconfig/network-scripts/pbr02-eth1
from table 2000 priority 200

cat << EOF > /etc/sysconfig/network-scripts/route-eth1 dev eth1 table pbr02
default via dev eth1 table 2000

--Setting confirmation system

[root@ip-10-0-1-5 network-scripts]# ip rule show
0:	from all lookup local 
200:	from lookup pbr02 
32766:	from all lookup main 
32767:	from all lookup default 

[root@ip-10-0-1-5 network-scripts]# ip route show table 2000 dev eth1  scope link 
default via dev eth1 


Recommended Posts

Linux Policy Base Routing
PBR (Policy Base Routing) on Linux