SysAdmin's Journey

Doing Simple Source Policy Routing on CentOS

I’m not for sure when they did it, but the RHEL folks made it a bunch easier to setup simple source policy routing. By using source policy routing, we fix the issue of firewalls freaking out when the reply packet to a host leaves a multihomed host on a different interface than what the request came in on. In prior versions, you had to setup some custom scripts, but that’s no longer the case - all the hooks are there in the OS now. In this example, imagine a CentOS host with two nics. is on eth0, and is on eth1. The default gateway is set to Any host accessing from any subnet that isn’t on will have it’s reply packets sent out via Some firewalls drop this type of traffic cough Cisco ASA’s cough. Thanks to the iproute2 package in Linux, this is easy enough to fix. RedHat has made it even easier now - we can do this in 3 steps (all performed as root):

Step 1: Create a table

We need to create a table for iproute2. Name it anything you want, and add it to /etc/iproute2/rt_tables, like so:

echo -e
"200\tCorpNet" >> /etc/iproute2/rt_tables

Step 2: Create a route

We need to create a route for eth1 that says to use our CorpNet table defined in Step 1.

echo "default table CorpNet via" >

Step 3: Create a rule

We need to create a rule for eth1 that says to use our route above for traffic received on eth1.

echo "from table CorpNet" >

Step 4: Restart networking

/etc/init.d/network restart

That’s it. Fire up a packet sniffer and verify your config!