Oct 042010

Policy routing linuxDescribe the routing policy rules in a Linux environment and ‘a rather long and complex, with this article I just want to make an introduction to what you can do with your linux box and the commands available in the package iproute2.

For more info i suggest the site: http://www.policyrouting.org/

iproute2 is a collection of utilities for controlling TCP and UDP IP networking and traffic control in Linux, in both IPv4 and IPv6 networks. It is currently maintained by Stephen Hemminger. The original author, Alexey Kuznetsov, was responsible for the QoS implementation in the Linux kernel.

iproute2 is intended to replace an entire suite of legacy Unix networking tools (often called “net-tools”) that were previously used for the tasks of configuring network interfaces, routing tables, and managing the ARP table, but which have not been developed since 2001.

Tools replaced by iproute2 are:

Address and link configuration: ifconfig → ip addr, ip link

Routing tables:route → ip route

Neighbors: arp → ip neigh

Tunnels: iptunnel → ip tunnel

Multicast: ipmaddr → ip maddr

Statistics: netstat → ss

iproute2 unifies the syntax for these various commands, which evolved over many years of Unix development. The iproute2 syntax is much simpler and more consistent for all of the functions that it provides, and imitates the syntax of Cisco’s IOS operating system.


The base of all command will be ip < object > < action > < parameters >

Working with IP and network card

1 ip link

With link we can work with the network cards, some example are:

ip link show Display status of all network cards (up/down) and also their Mac address

ip link set eth0 down|up Change the status of network card eth0

2 ip address

With address we work with the IP addresses set (or to be set) on the network adapters.

ip address show Display ip addresses of all network cards.

ip addr add brd + dev eth1 Add to eth1 the address, after that command i had on my eth1:

ip a l eth1

7: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:02:8a:9f:21:34 brd ff:ff:ff:ff:ff:ff

inet brd scope global eth1

inet brd scope global secondary eth1


So the command add a secondary address on the network card.

ip route

With route we can see and manipulate routing tables.

ip route show Show the default routing table.

This was just a short introduction, but let see now how to do a:

Dynamic policy routing.

3 leg firewall

Example: We have a firewall box (made with linux of course) that is connected to 3 different network:

– Public router – net GW

– DMZ area – net GW

. Internal network – net GW

Default route on the public NIC:

ip route show dev eth2 proto kernel scope link src

default via dev eth2


Possible problem, you have to do ssh on the firewall box to manage it, as long as you come from a network that is present on the nics of the box you’ll have no problems, because the static route will send the packet back from the correct nic.

But, if you come from another private network (say that arrive to the internal Nic ( what will happen ?

If you have added a static route also for all will be fine and the packet will return back from the correct NIC, otherwise the packet will use the default Gateway and we’ll try to use the public interface to return to doing an asymmetric routing path in that way and probably failing in reaching it.

The 2 solutions are

  1. Add static routes to cover any possible traffic, this is usually not suggested unless you have a small network that will not change over time.
  2. Create the rules to do a dynamic routing.

This solution simply means, “Send the packet from the network interface from which it ‘came'”, it sounds good no?

As first thing we add 2 more routing table, so we’ll have a total of 3 routing table

1 default, you can have only 1 default by definition, that use as GW the public interface

1 table (table 2) that use as GW the local network GW

1 table (table 3) that use as GW the DMZ network GW

ip route add table 2 default via

ip route add table 3 default via

Now we just need to tell the kernel when we use these additional tables, iproute2 comes to the rescue ip rule that allow to add routing rules, in fact we just have to give these two commands

ip rule add from table 2

ip rule add from table 3

And now we have a dynamic routing enabled box, simple..or not ?

It’s possible to display the additional routing tables with the command:

ip route show table X

Or flush it completely with:

ip route flush table X

As usual i hope that my article is a good starting point to let you understand the potential of the commands described, for further reading check also this link: http://linux-ip.net/

Popular Posts:

Flattr this!

  5 Responses to “Policy Routing with Linux”

  1. È la via 🙂 !

    Complimenti per il post ;).

  2. What the…? What is the point of this? Why would you not either:
    a) Add an address in the range to the internal NIC
    b) Expand the netmask on the internal NIC.

    It reeks of poorly designed network.

    • I understand that in my example you could easily solve with an additional address on the NIC.

      But in real life we had problems in doing that because the Ip range were on different Vlan used by different departments, i could have used the 802.1q extensions for Linux and add a Vlan on the same NIC, but i preferred the routing way.

      Consider this possibility an alternative.

      At last i’m more a system administrator than a network man, so it’s possible that you can work around a solution working on router.

  3. Some time ago I tried to use this techniques with dual Internet providers on one interface, but somehow I never manage to get it working (well). I am only talking about incoming traffic, not load balancing the outgoing or fail over (but the later would be nice).

    • Hello Dennis, dual internet provider from one interface it’s for sure an hard task.
      Have you used a trunk on that interface ?

      I’ve experience in bonding 2 eth for failover, this usually work perfectly, while from my test (done aroudn 1 year ago) trying to load balance the outgoign traffic to aggregate the bandwith gave me bad results, so at last we gave up and now we are working with Bonded eth but only for failover.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>