AWS / CentOs 6 and interfaces

John Nielsen lists at jnielsen.net
Thu Nov 5 14:40:10 MST 2015


If you have “public” IPs on multiple distinct interfaces then you need to do source-based routing to avoid breaking things.

On Linux it’s actually pretty easy to do but takes a few steps and isn’t always obvious or intuitive.

What you have now is presumably a single routing table with a single default route, pointing to something on eth0.

What you want is a second routing table with a distinct default route, pointing to something on eth1. And then rules to tell the kernel when to use which routing table.

Quick and dirty:

echo “100 eth1gw” >> /etc/iproute2/rt_tables

For each subnet on eth1
echo “sub.net.and.ma/sk dev eth1 table eth1gw” >> /etc/sysconfig/network-scripts/route-eth1
echo “from sub.net.and.ma/sk lookup eth1gw” >> /etc/sysconfig/network-scripts/rule-eth1

Once for the gateway you want to use via eth1
echo “default via ga.te.way.ip table eth1gw” >> /etc/sysconfig/network-scripts/route-eth1

Restart the interfaces or do the equivalent “ip route add” and “ip rule add” commands by hand and you should be in business.

If there are certain routes you always want to use a certain source IP for you can add those to the (main) routing table with a “src” argument. If your software already binds to specific IPs then that might not be necessary. For testing via ping, etc. you can tell it which source IP to use on the command line.

> On Nov 5, 2015, at 2:15 PM, Matthew Frederico <mfrederico at gmail.com> wrote:
> 
> I've checked with the GOOGLEBOT, and ran through several different
> configuration options and no dice.
> 
> I have a client building out his technology on AWS - however AWS only
> allows for 10 ips on a single interface and he needs ~ 20 to resolve to a
> single machine.
> 
>   - It's an M4 size instance so that gives me 2 interfaces to bind to it.
>   - I am able to bind localnet ip's to the interface ETH1 - however not
>   sure why it can't see the outside world and vice-versa
>      - I suspect a routing issue - but I'm wondering if bonding or
>      bridging the interfaces would be a solution?
> 
> I'm up against a brutal deadline on this and can give ssh access to the
> server if necessary.
> 
> -- 
> -`;'- Matthew Frederico
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
> 



More information about the PLUG mailing list