Describe the routing policy rules in a Linux environment and ‘a rather long and complex, with this article I just want to make an introduction to what you can do with your linux box and the commands available in the package iproute2.
For more info i suggest the site: http://www.policyrouting.org/
iproute2 is a collection of utilities for controlling TCP and UDP IP networking and traffic control in Linux, in both IPv4 and IPv6 networks. It is currently maintained by Stephen Hemminger. The original author, Alexey Kuznetsov, was responsible for the QoS implementation in the Linux kernel.
iproute2 is intended to replace an entire suite of legacy Unix networking tools (often called “net-tools”) that were previously used for the tasks of configuring network interfaces, routing tables, and managing the ARP table, but which have not been developed since 2001.
Tools replaced by iproute2 are:
Address and link configuration: ifconfig → ip addr, ip link
Routing tables:route → ip route
Neighbors: arp → ip neigh
Tunnels: iptunnel → ip tunnel
Multicast: ipmaddr → ip maddr
Statistics: netstat → ss
iproute2 unifies the syntax for these various commands, which evolved over many years of Unix development. The iproute2 syntax is much simpler and more consistent for all of the functions that it provides, and imitates the syntax of Cisco’s IOS operating system.
The base of all command will be
ip < object > < action > < parameters >
Working with IP and network card
With link we can work with the network cards, some example are:
ip link show Display status of all network cards (up/down) and also their Mac address
ip link set eth0 down|up Change the status of network card eth0
With address we work with the IP addresses set (or to be set) on the network adapters.
ip address show Display ip addresses of all network cards.
ip addr add 192.168.0.23/24 brd + dev eth1 Add to eth1 the address 192.168.0.23, after that command i had on my eth1:
ip a l eth1
7: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:02:8a:9f:21:34 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
inet 192.168.0.23/24 brd 192.168.0.255 scope global secondary eth1
So the command add a secondary address on the network card.
With route we can see and manipulate routing tables.
ip route show Show the default routing table.
This was just a short introduction, but let see now how to do a:
Dynamic policy routing.
Example: We have a firewall box (made with linux of course) that is connected to 3 different network:
– Public router – net 188.8.131.52/24 GW 184.108.40.206
– DMZ area – net 192.168.0.0/24 GW 192.168.0.1
. Internal network – net 10.0.0.0/24 GW 10.0.0.1
Default route on the public NIC:
ip route show
220.127.116.11/24 dev eth2 proto kernel scope link src 18.104.22.168
default via 22.214.171.124 dev eth2
Possible problem, you have to do ssh on the firewall box to manage it, as long as you come from a network that is present on the nics of the box you’ll have no problems, because the static route will send the packet back from the correct nic.
But, if you come from another private network (say 10.10.10.0) that arrive to the internal Nic (10.0.0.0) what will happen ?
If you have added a static route also for 10.10.10.0 all will be fine and the packet will return back from the correct NIC, otherwise the packet will use the default Gateway and we’ll try to use the public interface to return to 10.10.10.0 doing an asymmetric routing path in that way and probably failing in reaching it.
The 2 solutions are
- Add static routes to cover any possible traffic, this is usually not suggested unless you have a small network that will not change over time.
- Create the rules to do a dynamic routing.
This solution simply means, “Send the packet from the network interface from which it ‘came'”, it sounds good no?
As first thing we add 2 more routing table, so we’ll have a total of 3 routing table
1 default, you can have only 1 default by definition, that use as GW the public interface
1 table (table 2) that use as GW the local network GW
1 table (table 3) that use as GW the DMZ network GW
ip route add table 2 default via 10.0.0.1
ip route add table 3 default via 192.168.0.1
Now we just need to tell the kernel when we use these additional tables, iproute2 comes to the rescue
ip rule that allow to add routing rules, in fact we just have to give these two commands
ip rule add from 10.0.0.0/24 table 2
ip rule add from 192.168.0.0/24 table 3
And now we have a dynamic routing enabled box, simple..or not ?
It’s possible to display the additional routing tables with the command:
ip route show table X
Or flush it completely with:
ip route flush table X
As usual i hope that my article is a good starting point to let you understand the potential of the commands described, for further reading check also this link: http://linux-ip.net/