I'm a newbie to IPtables, but am looking to do send traffic to a specific card based on the source. Here's what I would like:

eth0 - all traffic comes in on this NIC

Depending on the source IP, I want to direct traffic out to the Internet on either eth1 or eth2.

I've tried adding the following to the nat iptable but its not working.

iptables -t nat -A POSTROUTING -s -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s -o eth2 -j MASQUERADE

What steps am I missing?

  • 37,618
  • 10
  • 90
  • 145
  • 41
  • 3

2 Answers2


I was able to make this work using Custom route tables

Create a custom route table: echo 2000 CustomTable >> /etc/iproute2/rt_tables

Add rule: ip rule add from lookup CustomTable

Add route: ip route add default via dev eth1 table CustomTable

This will send any traffic from out on dev eth1

Keep in mind these settings will be lost on reboot or restart of the network services.

  • 72,524
  • 21
  • 127
  • 192
  • 41
  • 3

I'd be cautious, as IP was designed to route based on destination IP address, and you will be better off if you can make that happen. For instance, if what you really want is all traffic from a particular virtual server to be sent out a particular interface then use bridging instead.

That being said, you can use multiple routing tables along with routing rules. First you'll probably want to give names to the new tables you will create:

echo 2001 default-via-eth1 >> /dev/iproute2/rt_tables
echo 2002 default-via-eth2 >> /dev/iproute2/rt_tables

Then you need to create your special routing tables, which is easy -- just add the name of the table when you create the route (and and are examples -- use the right IP addresses of your gateways here):

ip route add default via dev eth1 table default-via-eth1
ip route add default via dev eth2 table default-via-eth2

And lastly, you link the two together with "rules":

ip rule add pref 30000 from table default-via-eth1
ip rule add pref 30001 from table default-via-eth2

You can see the rules that are in place with this command:

ip rule

You can see what is in a particular routing table with this command:

ip route show table via-eth1

CAUTION There are problems with this if you use a "containers" type of virtual server, like openvz or lxc, and it is because most programs are written using the "unspecified" IP address as the source address. Therefore the kernel must determine what source IP address to use, and it will pick it based on the route used. And I hope you can see the irony there -- the source address is based on the route which is based on the source address! What seems to happen is that the ip rules are ignored and it uses a built-in list of tables to find the route.

Scott Nelson
  • 285
  • 1
  • 10