Tag Archives: iproute

Load balance between source IPs in Linux

Today I received a question about how to distribute the outgoing connections between several IP addresses attached to an interface. Suppose that you have 3 IPs in the eth0 interface and you want to do round robin between that IPs for outgoing connections. With regular iproute commands you can’t. Doing some tricks with fwmarks, ip rule and ip route neither.

The only way that I’ve found to it is using SNAT and statistics to get a real Round Robin balance:


iptables -t nat -A POSTROUTING  -m statistic --mode nth --every 3 -j SNAT --to

iptables -t nat -A POSTROUTING  -m statistic --mode nth --every 2 -j SNAT --to

iptables -t nat -A POSTROUTING  -m statistic --mode nth --every 1 -j SNAT --to

The IPs described in the example should be local IPs.

Post to Twitter

Source routing with Squid

This is a small HOWTO about doing source routing with Squid and Linux. With Squid you can specifiy the outgoing IP address using ACLs. That means that you can select the outgoing IP using the information inside HTTP messages, thing that you can’t do with a firewall. The syntax is simple:

acl somedomain dstdomain somedomain.com tcp_outgoing_address somedomain

Those two lines say: “If the request is asking for somedomain.com, go to the world using IP”.

Now the Linux part. If you have more than one public IP address and you want to make the Squid configuration to work you need some iproute lines.

ip rule add table 10 from ip route add table 10 default via GW

And those two lines says: “If the source IP of the packaet is, go via GW”.

Source routing with Linux is simple. What you do is to create a new table. This table will be used by that packets that match the criteria specified in “ip rule”. The “default table” is the table main, everything goes there if there is no rule. Is the table that you see with “ip route” or “route -n” (please, don’t use the last command anymore).


Post to Twitter