Change the default route without affecting existing TCP connections

Posted by Patrick Horn on Super User See other posts from Super User or by Patrick Horn
Published on 2012-11-26T08:31:22Z Indexed on 2012/12/02 5:08 UTC
Read the original article Hit count: 447

Filed under:
|
|
|
|

Let's say I have two public network addresses on my server: one NAT through an ISP (192.168.99.0/24), and a VPN through a different ISP (192.168.1.0/24), already configured with a per-host route to the VPN server through my ISP.

Here is my initial routing table. I am currently routing through my ISP on subnet 192.168.99.0/24.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.99.1    0.0.0.0         UG    0      0        0 eth1
55.66.77.88     192.168.99.1    255.255.255.255 UGH   0      0        0 eth1
192.168.99.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 tap0

Now, I want new TCP connections to switch to my 192.168.1.0/24 so I type the following:

$ route add -net 0.0.0.0 gw 192.168.1.1 dev tap0

When I do this, it causes some long-standing TCP connections to hang. Is there a way to I safely change the default interface for new connections, while allowing existing TCP connections to use the old route (i.e. do I need enable some sort of stateful routing table)?

I am okay with a solution that only works with established TCP connections, and I don't care how hacky it is. For example, if there is a way to add temporary iptables rules for existing connections to force them over the old route. But there has to be some way to do this.

EDIT: Just a note about a simple "route add -host ... " for existing connections: this solution would work if I am fine with leaving a subset of IPs on the old interface. However, in my application, this actually doesn't solve my problem because I want to allow new connections to come on the new interface even if they have the same source IP. I'm now looking at using the "ip route" command to set source-based routing rules.

© Super User or respective owner

Related posts about linux

Related posts about routing