Policy Routing for Multi-Homed Linux Servers

Summary
This doc describes the implementation of policy routing for dual-homed Linux servers. Policy routing alleviates the
need for host routes where the server itself is not initiating communications. In addition, it resolves asymmetrical
routing issues. E.g. A packet that arrives on interface A is routed out interface B. By implementing this style of
routing a packet will arrive and leave the same interface by default unless otherwise dictated by a more specific
routing statement.

Requirements
IP Utility must be version ‘iproute2-ss061002’ or higher. To check version execute “ip -V”.

Configuration

#[assumptions]
Eth0 IP Address = 172.16.0.2/24, Default GW = 172.16.0.1
Eth1 IP Address = 192.168.0.2/24, Default GW = 192.168.0.1

#[create the “per interface” routing table]

echo "1 name" >> /etc/iproute2/rt_tables

Example:
for eth0, echo “1 prod” >> /etc/iproute2/rt_tables
for eth1, echo “2 mgmt” >> /etc/iproute2/rt_tables

#[create routing statements for]

echo "ethX_NET_ADDR/BitMask dev ethX src ethx_IP table NAME" >> /etc/sysconfig/network-scripts/route-ethX
echo "default via ethX_Default_GW_IP dev ethX table admin NAME" >> /etc/sysconfig/network-scripts/route-ethX

Example:
echo “ 172.16.0.0/24 dev eth0 src 172.16.0.2 table prod” >> /etc/sysconfig/network-scripts/route-eth0
echo "default via 172.16.0.1 dev eth0 table prod" >> /etc/sysconfig/network-scripts/route-eth0

#[create routing rules (policy)]

echo "from ethX_IP/32 table prod" >> /etc/sysconfig/network-scripts/rule-ethX
echo "to ethX_IP/32 table prod" >> /etc/sysconfig/network-scripts/rule-ethX

Example:
echo "from 172.16.0.1/32 table prod" >> /etc/sysconfig/network-scripts/rule-eth0
echo "to 172.16.0.1/32 table prod" >> /etc/sysconfig/network-scripts/rule-eth0

#[check work]
more /etc/iproute2/rt_tables
more /etc/sysconfig/network-scripts/route-ethX
more /etc/sysconfig/network-scripts/rule-ethX
ip rule show

#[force changes to take affect]

ip route flush cache
Repeat for each interface – Be sure to increment the number when creating the “per interface” routing table.

Caveats
This configuration will not be persisted unless you are using the correct version of “ifup-routes”. Ifup-routes must
contain the following;

# Routing rules
FILES="/etc/sysconfig/network-scripts/rule-$1"
if [ -n "$2" -a "$2" != "$1" ]; then
FILES="$FILES /etc/sysconfig/network-scripts/rule-$2"
fi

for file in $FILES; do

if [ -f "$file" ]; then
{ cat "$file" ; echo ; } | while read line; do
if [[ ! "$line" =~ '^[[:space:]]*(\#.*)?$' ]]; then
/sbin/ip rule add $line
fi
done
fi
done

If this section of the script is missing from “ifup-routes” then it can either be appended to the end of the file. Or
the IP rules can be placed into “/etc/rc.local” file. Note: if placed into rc.local the rule commands will not be
executed during a network service restart and the command will need to prefixed with “ip rule add”.