How to rotate IPs using iptables having 2 NICs

Question

I have 2 network interfaces in an ec2 linux server (eth0 eth1). After configuring the second NI (eth1), I'm able to ping both public IPs from eth0 and eth1 as to connect through SSH.

Now, my idea is to rotate the IP from both NICs on all outgoing packets. I achieved once something similar having multiple IPs under one single NIC using iptables with this script:

ip_list="xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy"  
dest_port="443"
interface="eth0"

i=`echo $ip_list |wc -w`
for each in $lista; do
/sbin/iptables -t nat -A POSTROUTING -m state --state NEW  -p tcp  --dport $dest_port -o $interface -m statistic --mode nth --every $i --packet 0 -j SNAT --to-source $each
i=$((i-1))
done

But with 2 NICs I don't know how to accomplish the same...I've tried to change the $interface switching them to bot eth0 and eth1 but nothing. No matter what I try, packets always are sent under the same public IP address from eth0.

This is the additional info about the settings of the second NIC I configured, as I guess maybe the problem could come from here:

# ifconfig
eth0      Link encap:Ethernet  HWaddr 06:90:23:13:e8:22  
          inet addr:172.31.21.40  Bcast:172.31.31.255  Mask:255.255.240.0
          inet6 addr: fe80::490:23ff:fe13:e822/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:2818 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2326 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:327725 (327.7 KB)  TX bytes:594758 (594.7 KB)

eth1      Link encap:Ethernet  HWaddr 06:00:2e:05:47:ca  
          inet addr:172.31.26.216  Bcast:172.31.31.255  Mask:255.255.240.0
          inet6 addr: fe80::400:2eff:fe05:47ca/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:1030 errors:0 dropped:0 overruns:0 frame:0
          TX packets:935 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:85024 (85.0 KB)  TX bytes:165754 (165.7 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:942 errors:0 dropped:0 overruns:0 frame:0
          TX packets:942 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:323801 (323.8 KB)  TX bytes:323801 (323.8 KB)

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.16.1     0.0.0.0         UG    0      0        0 eth0
172.31.16.0     0.0.0.0         255.255.240.0   U     0      0        0 eth0
172.31.16.0     0.0.0.0         255.255.240.0   U     0      0        0 eth1


# ip route show table 2
default via 172.31.16.1 dev eth1

# cat /proc/sys/net/ipv4/ip_forward
1

Any idea about how should I manage this?!

PD: I'm really new about networks, so please go easy on me...

Answer 1

DNAT happens in the POSTROUTING chain, that is, after Linux has made its routing decision. Linux selects the outgoing interface for an IP packet by selecting an entry for the next hop via a lookup in the routing table.

This means, that the interface which to use for the outgoing packet is already selected when the packet enters the POSTROUTING chain. The, the DNAT rule cannot be used with an IP address that is not bound to the outgoing packet's interface. This is why your packets will have the original interface IP address.

To actually get the behaviour you want, you need to somehow alter the routing decision to get Linux to use another interface. Policy routing is the mechanism used to alter the default routing behaviour of Linux.

However, I do not know if it is possible to implement this "different interface for every outgoing TCP connection" with it. It would require TCP connection state tracking to make sure a single TCP connection would always use the same outgoing interface. Even if it would be possible, it requires lots of effort to implement and good understanding of TCP/IP networking.