Controlling which outbound ip to use

Joris's picture
Mon, 03/03/2014 - 21:55 -- Joris

On a linux box with more than one ip address, the outbound ip address isn't always the same. In my experience, on Enterprise Linux it is most often the first added ip, on Debian-based linux it is the last added ip. This uncertainty isn't what you want in a production environment. Luckily, there is a way to control this. This blogpost provides a persistent solution for Enterprise Linux.

More than one IP

In this example the interface is called 'em', because it is physical on the motherboard. When you're trying this out in a virtual machine, chances are you have to look for an 'eth' interface.

Search your interface description file in /etc/sysconfig/network-scripts/ and make sure you have set a static IP.

# cat /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1
BOOTPROTO=none
BROADCAST=192.168.0.255
DNS1=8.8.8.8
GATEWAY=192.168.0.1
HWADDR=d4:ae:52:cc:c0:4a
IPADDR=192.168.0.4
NETMASK=255.255.255.0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
UUID="5475613b-49e6-4338-9c7a-3c75af3fabfa"
DNS2=8.8.4.4
IPV6INIT=no
USERCTL=no

To set a secondary ip, we create a file as following : ifcfg-em1:0 The next IP you want to add, can be named ifcfg-em1:1, ...

# vi /etc/sysconfig/network-scripts/ifcfg-em1:0
DEVICE=em1:0
BOOTPROTO=none
BROADCAST=192.168.0.255
DNS1=8.8.8.8
GATEWAY=192.168.0.1
IPADDR=192.168.0.5
NETMASK=255.255.255.0
NM_CONTROLLED=no
ONPARENT=yes
TYPE=Ethernet
DNS2=8.8.4.4
IPV6INIT=no
USERCTL=no


Using ip route to control outbound IP

First, let's check our routing table. It should look something like this.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 em1
link-local      *               255.255.0.0     U     1002   0        0 em1
default         192.168.0.1     0.0.0.0         UG    0      0        0 em1

Next, we delete the default route

# ip route del default

Check if the default route is indeed gone :

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 em1
link-local      *               255.255.0.0     U     1002   0        0 em1

Now we're going to add the default route again. We give the device (dev), the default gateway (via) and an extra parameter with the desired IP of the interface to use four outbound connections :

# ip route add default dev em1 via 192.168.0.1 src 192.168.0.5

Key here is the 'src' parameter. This specifies the ip to use for outbound traffic

Making changes persistent

To make these changes permanent, we are going to make a few additional changes to the configuration files. Warning: now it's important to have physical access to the machine (ie, keyboard and mouse, or spice connection to kvm guest)

In the description file we add the 'DEFROUTE' (default route) parameter. We're going to disable this one.

# vi /etc/sysconfig/network-scripts/ifcfg-em1
DEFROUTE=no

We also need to to add a route-{interface name} file. In this file we're going to specify the default route as before, on a single line. (Note that the 'ip route' command is discarded here.)

Add following file :

# vi /etc/sysconfig/network-scripts/route-em1

(according to the interface name)

default via 192.168.0.1 src 192.168.0.5

via : the default gateway
src : ip address to use for outbound traffic