Passive response and unsolicited source IP selection when a single machine configures multiple IP addresses

Source: Internet
Author: User
Tags iptables

If a host is bound to have multiple IP addresses, then in the passive response and active initiating connection two ways, the source IP address selection mechanism is certainly different.

When the host receives the external packet and sends the response packet, the response source address is clearly the address of the client request, which is very easy to understand, such as the client to the host's to initiate the request, then the host response Packet's source IP address must be

The source IP address of the packet is then selected when the host initiates the request externally. We may have little insight into this problem, and in order to find out the problem, I have made a lot of time to extensively consult various materials, and the conclusions are as follows:

When a host creates an IP packet, it is critical that the correct source IP address be selected, because only the source address is correct to allow the receiver to respond correctly. If the source address is incorrect, no response to the end host can be obtained.

Linux 2.2 Select the source IP address using the following three mechanisms:

1. An application can explicitly specify the source IP address by applying bind (2) system calls to SENDMSG (2) calls and through a secondary data object ip_pktinfo. In this case, the operating system kernel simply checks to see if the source IP address is correct, or a corresponding error occurs.

2. If the application does not specify a source IP address, the routing table containing the source IP determines the packet source IP address, specifying the source IP address by setting the SRC parameter of the IP route command. If the routing table does not contain the SRC attribute, the primary IP address is used.

3. In other cases the kernel searches for the IP address on the binding packet routing interface, IPV6 selects the first available IP address. IPv4 case, try to select the same subnet as the target IP source IP, if the target IP and all of its own IP is not in the same subnet, then use the second algorithm.

The corresponding reference article:



By default, if the Linux network card has multiple IP and is located in a different subnet, if the packet destination address is a subnet in the IP, then the corresponding target and subnet IP will be used. If the eth0 has two IP,, then the source address of the packet to the subnet will use Of course, you can use the IP route src attribute to specify the source address.

If several of the IP bindings are in the same subnet, the primary IP address will be used (such as IP on the Eth0 interface), or you can use Iptables to modify the source address of the packet, such as:

Iptables-t nat-i postrouting-o eth0-d SNAT--to-source

Principle analysis and treatment method we have finished analyzing, then use the actual example to show

Linux host bindings have the following IP (Gateway for
Eth0, Eth0:1, Eth0:2

In addition, you can use the IP addr add command to bind multiple IPs without generating sub-interfaces.

In the above case, will become the default primary IP.

Objective: When this host initiates a new connection, the source IP address uses, and the default is not used.

Method: Modify the source IP properties of the routing table
I. View the system's IP address and routing table details (bold font is entered)
[root@localhost ~]# IP addr

1:lo: <LOOPBACK,UP,LOWER_UP> MTU 16436 Qdisc noqueue

Link/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00

inet Scope host Lo

inet Scope Global Lo

2:eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU 1500 Qdisc pfifo_fast Qlen 1000

Link/ether f4:6d:04:76:ca:98 BRD FF:FF:FF:FF:FF:FF

inet BRD Scope Global eth0

inet Scope Global eth0

inet Scope Global secondary eth0

inet Scope Global secondary eth0

Note that is a global state and other addresses are secondary states.

[root@localhost ~]# IP route Dev eth0 proto kernel scope link src Dev eth0 proto kernel scope link src Dev eth0 Scope link

Default via Dev eth0

Note that the above output will find that the source IP address of the route to the same subnet will use the primary IP address. The route to the default gateway does not specify the source IP (it will actually use the primary IP of the same subnet as the gateway).

Modify the routing table so that the system uses the specified IP ( as the source:
[root@localhost ~]# IP route change default dev eth0 src

[root@localhost ~]# IP route change to Dev eth0 src

[root@localhost ~]# IP route dev eth0 scope link src Dev eth0 proto kernel scope link src Dev eth0 Scope link

Default dev eth0 scope link src

With the final output, we find that the modification takes effect and then use the other host to actually test it. If you have any doubts, please contact

There is another way to modify the source IP address using iptables:

Iptables-t nat-i postrouting-o eth0-d 192.168.0. 250-j SNAT--to-source

After experiment, the test also passed, obviously the way to modify the routing table better.

Prerouting and postrouting are also frequently used in NAT configuration gateways for network address translation, and there are some rules:

Prerouting is the destination address translation (Dnat), to convert other people's public network IP into your internal IP, so that access to your internal firewall-protected servers.

Postrouting is the source address translation (SNAT), to convert your internal network firewall-protected IP address to your local public network address to allow them to surf the internet. SNAT the source address of the transform packet.
Example: Change the source IP address of all packets from to
Iptables-t nat-a postrouting-s eth0-j SNAT --to-source

Dnat, for the external department to provide WWW,FTP and other services
For example: Change the destination IP address of all packets from to
Iptables-t nat-a prerouting-s eth1--dport 65533-j dnat--to-destination

to modify the source IP at NAT table:
Iptables-t nat-i postrouting-d UDP--sport 5060-j SNAT--to-source

list NAT Table rules:
Iptables-l-T NAT

Flush NAT Table rules:
Iptables--flush-t NAT

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.