Routing application traffic through specific interface
Solution 1
Have you looked at the owner module within iptables, possibly combined with a source NAT rule?
This lets you setup OUTPUT chain rules based on UID, GID, PID, SID and command name.
Solution 2
I believe the best option is to bind each application to a different IP, and use source-based routing to change which interface packets from that source IP go out via.
The general idea is that you can create multiple parallel routing tables ('ip route' has an optional 'table' parameter). Then you add a rule saying "if it's from IP [x.x.x.x] then use table [foo]".
So:
- Create routing tables [foo1, foo2] in /etc/iproute2/rt_tables
- Populate routing tables (something like "ip route add default gateway 1.2.3.4 dev eth0 table foo1" nd likewise for foo2)
- Create rules to say which table to use based on source IP - "ip rule add from 1.2.3.2/32 table foo1", "ip rule add from 1.2.3.3/32 table foo2".
I haven't tested those examples specifically, but I've used similar in the past succesfully.
Solution 3
There is support in linux for binding an application to a specific IP (used for example by Apache). If your application does not support this you are out of luck.
I am not aware of any linux kernel modules (because that is what you would need) to bind a specific application to an interface even when it tries to bind to *. Using a virtual machine is one possibility.
The closest thing I can come up with to your requirements if there is no application support is Ethernet interface bonding (http://www.cyberciti.biz/howto/question/static/linux-ethernet-bonding-driver-howto.php). But then you would only be running one instance of the application on multiple interfaces with the same ip.
Related videos on Youtube
01 : 33
01 : 31
01 : 46
02 : 33
03 : 01
UnicornsAndRainbows
Updated on September 17, 2022Comments
-
UnicornsAndRainbows over 1 year
First question here, so please go easy:
I have a debian linux 5.0 server with two public interfaces. I would like to route outbound traffic from one instance of an application via one interface and the second instance through the second interface. There are some challenges:
- both instances of the application use the same protocol
- both instances of the application can access the entire internet (can't route based on dest network)
- I can't change the code of the application
- I don't think a typical approach to load balancing all traffic is going to work well, because there are relatively few destination servers being accessed in the outbound traffic, and all traffic would really need to be distributed pretty evenly across these relatively few servers.
I could probably run two virtualized servers on the box and bind each of them to a different interface, but I'm looking for a simpler solution, maybe using iproute or iptables?
Any ideas for me? Thanks in advance - and I'm happy to answer any questions.
-
UnicornsAndRainbows about 14 yearsI chose this answer because it would be the best option for my needs if my host supported the owner module. It's best for me because it doesn't require application support for binding to a specific interface.
-
akostadinov about 11 yearsonly uid and gid currently (unfortunately)
