Linux – How to configure linux routing/filtering to send packets out one interface, over a bridge and into another interface on the same box

filteringiptableslinuxnetworking

I'm trying to test a ethernet bridging device. I have multiple ethernet ports on a linux box. I would like to send packets out one interface, say eth0 with IP 192.168.1.1, to another interface, say eth1 with IP 192.168.1.2, on the same subnet.

I realize that normally you don't configure two interfaces on the same subnet, and if you do the kernel routes directly to each interface, rather than over the wire. How can I override this behavior, so that traffic to 192.168.1.2 goes out the 192.168.1.1 interface, and visa-versa?

Thanks in advance!

Best Answer

Use network namespaces. It feels like running a VM but it's not a VM, just something that look like a separate IP stack.

ip netns add otherhost
ip netns exec otherhost /bin/bash

This will open a shell under the otherhost network namespace. If you examine the network configuration in it, you will see that there is no interface. It's like if you were running a different host.

Now, move the eth1 interface to the otherhost network namespace:

ip link set eth1 netns otherhost

Now, the otherhost namespace has your eth1 interface. Configure it like you would do if it were a separate host, and do the same for eth0 on your default network namespace. It's as simple as that.

Note that if you close all your shell to otherhost, the network namespace will disappear, and its interfaces will be moved back into the default network namespace.

Related Solutions

Configure Two Gateways with Different IPs – Linux, iptables

What you want to achieve is multi-homing, not bonding or load-balancing.

To do this you'll need to implement what is known as "policy" or "source based" routing.

Which you can do in Linux by using the iproute2 package.

There is a good article that explains how to, here.

Linux – Force Local IP Traffic to an External Interface

I expanded on caladona's answer since I could not see response packets. For this example:

On my local PC I have NIC's on different subnets, 192.168.1/24, 192.168.2/24
There is an external router/PC that has access to both subnets.
I want to send bi-directional traffic over the NICs on the local PC.
The configuration requires two unused IP addresses for each subnet.

Local PC iptable routes are set to SNAT and DNAT outgoing traffic to the 'fake' IP.

iptables -t nat -A POSTROUTING -d 192.168.1.100 -s 192.168.2.0/24 -j SNAT --to-source      192.168.2.100
iptables -t nat -A PREROUTING  -d 192.168.1.100 -i eth0           -j DNAT --to-destination 192.168.1.1
iptables -t nat -A POSTROUTING -d 192.168.2.100 -s 192.168.1.0/24 -j SNAT --to-source      192.168.1.100
iptables -t nat -A PREROUTING  -d 192.168.2.100 -i eth1           -j DNAT --to-destination 192.168.2.1

The rules do the following:

Rewrite 192.168.2.1 source to 192.168.2.100 on outgoing packets
Rewrite 192.168.1.100 destination to 192.168.1.1 on incoming packets
Rewrite 192.168.1.1 source to 192.168.1.100 on outgoing packets
Rewrite 192.168.2.100 destination to 192.168.2.1 on incoming packets

To summarize, the local system now can talk to a 'virtual' machine with addresses 192.168.1.100 and 192.168.2.100.

Next you have to force your local PC to use the external router to reach your fake IP. You do this by creating a direct route to the IP's through via the router. You want to make sure that you force the packets onto the opposite of the destination subnet.

ip route 192.168.1.100 via $ROUTER_2_SUBNET_IP 
ip route 192.168.2.100 via $ROUTER_1_SUBNET_IP

Finally to make this all work, the external router needs to know how to reach the faked IPs on your local PC. You can do thins by turning on proxy ARPs on for your system.

echo 1 | sudo tee /proc/sys/net/ipv4/conf/all/proxy_arp
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

With this setup, you can now treat the fake IPs as a real system on your local PC. Sending data to .1 subnet will force packets out the .2 interface. Sending data to the .2 subnet will force packets out the .1 interface.

ping 192.168.1.100
ping 192.168.2.100

Best Answer

Related Solutions

Configure Two Gateways with Different IPs – Linux, iptables

Linux – Force Local IP Traffic to an External Interface

Related Topic