[CentOS] Addressing outgoing connections to a specific interface

Sun Nov 14 13:28:40 UTC 2010
Dotan Cohen <dotancohen at gmail.com>

On Thu, Nov 11, 2010 at 00:08, Lamar Owen <lowen at pari.edu> wrote:
> Well, this runs afoul of one of the annoyances with IP.  That is, IP addresses don't belong to the host; they belong to the interface.  Even on a cisco router, to assign the router itself an interface requires a loopback interface be created.
>
> I understand what you want to do; I'm just saying that, unless you can assign a user's applications to a VRF (using cisco terminology; typically done by binding the application to a source address in that VRF) and then use multiple VRF's in the kernel, the kernel assumes that both references to 192.168.0.1 refer to the same device (from the point of view of the kernel, unless you have set up multiple routing tables, there is only one layer 3 network here), and it will choose the interface according to other criteria in the routing tables.
>
> I remember seeing your ifconfig output... yes, you had:
> wlan0: 192.168.0.26/255.255.255.0
> eth0: 192.168.0.101/255.255.255.0
>
> However, you didn't provide routing table output....at least, I don't remember seeing netstat -r or ip route output.  So I'm assuming that you haven't set up multiple routing tables.
>
> This means, from the kernel's point of view, that wlan0 and eth0 are not only in the same layer 3 network, but also on the same subnet/layer 2 segment (thanks to the /24 netmask; the kernel is going to send the packets out one of the interfaces based on the kernel's rules for local subnets). No two hosts can have the same IP address on the same layer 2 segment; as far as the kernel is concerned, eth0 and wlan0 are on the same layer 2 segment.  ( http://linux-ip.net/html/basic-reading.html#basic-local-network )
>
> Now, if you want to do it with routing tables, you can.  The difficult part is getting the web browser to select the right source IP address (according to which interface you want to use), and then you have to write the routing rules based on source address.  It's easier with in-kernel NAT (allowing traffic on the default source IP address to access the desired device solely based on the destination's IP address; and, again, I'm talking entirely from the point of view of the kernel on host C here), but it is doable with plicy routing and multiple tables.
>
> A relevant guide is found at: http://linux-ip.net/html/index.html
>
> It has lots of details.
>
> Two things have to happen:
> 1.) You have to set the source IP address to bind per application or per user or based on ENV variable;
> 2.) You have to have two routing tables, with routing based on the bound source address being on one interface or the other (since the destination address is not unique, and since the destination address is the primary route selector, you have to configure a secondary route selector; source IP address is supported through policy routing)
>
> Again, all talk of routing here is from the kernel's point of view on host C (in your diagram).  But, even then this may or may not work, since both networks are locally attached; you might just have to experiment with it.  I did some googling on the subject, but nothing I was able to find in a reasonably short time fit your exact circumstances.
>
> I'll have to admit to some curiosity in how to do this myself; I might lab it up one day and see, when I have more time to spend on it.


Thank you Lamar, I have spent some time googling and learning the
concepts that you mention. I'm not much closer to a solution to this
issue, but I have a much better understanding of IP networks. The
routing tables and netmask concepts were big holes my my knowledge,
and I'm the better for having invested in this query now that I've
cleared some things up.

Thanks.


-- 
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com