[TriLUG] Routing...once again.
Aaron S. Joyner
aaron at joyner.ws
Wed Aug 9 01:27:15 EDT 2006
Greg Brown wrote:
> Brian:
>
> You should have a default gateway for each nic, not just one for the
> entire
> machine. I assume there is a dual port fireall with 1.1 and 10.1 and a
> single Internet connection?
<rest of conversation snipped, so as not to cause further confusion>
Let me start by saying that Greg is a well meaning guy, who's generally
on the ball. With that peasantry out of the way, you're way off base on
this thread Greg. :)
To clarify, layer 3 network routing, ie. the kind done by the routing
table on a Linux box, is not interface specific. It's part of the
TCP/IP stack, which chooses which lower level interface is the
appropriate interface to send a packet out. Consider a simple
situation, similar to what Brian originally described. You have two
networks, both which are paths to the single larger network (think of it
as the Internet if you like). The diagram looks like this:
(fixed width fonts are good for you)
=== Intarweb ===
^ ^
| |
NetA NetB
^ ^
| |
\--- Bob ----/
On the left side (eth0), you have an IP address of 1.1.1.1/24, and on
the right side (eth1), 2.2.2.2/24. You have a default gateway pointing
to 1.1.1.254 out the left interface. Your routing table would look like
this:
asjoyner at bob:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
2.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
0.0.0.0 1.1.1.254 0.0.0.0 UG 0 0 0
eth0
When you address a packet to 2.2.2.10, that Linux box will look at your
routing table, and choose the network with the best match for that
packet, which is 1.1.1.0 with a mask of 255.255.255.0. It will then
route it out that interface. That will result in an arp lookup, which
will then allow the packet to be delivered out eth1. If you address a
packet to 1.1.1.10, the same occurs, eventually out eth0. If you
address a packet to 3.3.3.10, the routing table is consulted, and the
best match is the network 0.0.0.0 with a mask of 0.0.0.0. The packet is
then addressed to 3.3.3.10 via the mac address of 1.1.1.254, which will
(hopefully) deliver it on to it's destination.
To clarify, all TCP/IP routing is done via the route table, and there is
only one route table per machine*. There are not separate routing
tables, or separate gateways, per interface**.
So why does Greg believe there are multiple routes per interface? Well,
the syntax of Debian's /etc/network/interfaces file is definitely
misleading. To boot, it probably does work in his environment, it just
results in packets not quite flowing the way one would expect. A
hypothetical scenario:
In the diagram above, imagine a host (Frank) on the Intarweb (3.3.3.10)
addresses a packet to Bob at 2.2.2.2. The packet comes across NetB to
Bob. Bob gets the packet, and crafts a response. Responses have no
state, only a source and dest address. The source address is 2.2.2.2,
as Bob will respond from the same source the session was addressed to.
Bob goes through the above routing procedure, matches the default
gateway, and routes the packet through NetA. Assuming NetA is a private
network and there is a simple router involved, it will pass the packet
along to the appropriate network and Frank will eventually receive it.
The packet didn't travel the most intuitive path, but it did get there
and life was happy. This was the way TCP/IP was designed to work back
in the day, and often does work in large networks.
The problems creep in when you start using things like residential-class
networks and you throw in a dose of Internet paranoia. For good
reasons, any residential ISP isn't going to let you send traffic from
their network, with an address they didn't give you. So if you imagine
1.1.1.1 and 2.2.2.2 are real Internet addresses from real ISPs, you can
probably imagine why Time Warner won't let you send packets on their
network claiming a source address of a Bellsouth DSL customer. Thus,
your packet is sent by Bob just fine, but dropped by your upstream ISP
as a security precaution.
I have gone through the whole "how do I setup source-based policy
routing under Linux" spiel on the list before. It is possible to have
multiple default gateways, for different types of traffic, as Joe Mack
mentioned later in this thread. The 3-second answer is "ip rules an ip
route tables via the iproute2 package". I'll save my and everyone
else's time and just point to the message in the archives:
http://www.trilug.org/pipermail/trilug/Week-of-Mon-20040329/025177.html
http://www.trilug.org/pipermail/trilug/Week-of-Mon-20060619/042827.html
and a pretty good Debian-specific tutorial on the same idea:
http://www.debian-administration.org/articles/377
Aaron S. Joyner
* -- we'll expose this over-simplification before the end of the
message, but play along for now if you know better.
** -- ip route tables aren't per interface, they're per
type-of-traffic. You still have to match on ip-based characteristics
with the rules, they can't be interface-specific. Keep reading to the
end if you are confused, and read the links for more details.
More information about the TriLUG
mailing list