[TriLUG] policy based routing with linux

[Chris Bullock]

--- "Aaron S. Joyner" <aaron at joyner.ws> wrote:

> Chris Bullock wrote:
> 
> >We have a fairly static network with about 8 subnets and roughly 5
> >different points of access to the outside world.  We are using a Linux
> PC
> >full of nics and doing strictly static routing.  We have an application
> >that the university needs access to at fiber speed, the hospital has
> >access to the university and we have access to the hospital, so
> therefore
> >we are routing to the university through the hospital (university <-->
> >hospital <--> our office.  Long story short we have asked the hospital
> to
> >somewhat protect us from the university by implementing ACLs on their
> PIX,
> >this gives the university access to our services but blocks my users
> from
> >hitting the university's services since my router points all university
> >traffic through the hospital.  Now my question, I have tried to
> understand
> >the policy routing built into Linux but keep beating my head against
> the
> >wall due to my lack of brains.  Here is what I have, I have a macro I
> run
> >that has all my static routes listed, what I want to do is via command
> >line, not a table, tell my traffic that to go to 150.216/16 go out our
> >broadband connection not our hospital gateway.
> >  
> >
> Three observations here:
> - What you're asking for means the traffic doesn't go fast...
> The university is 150.216.0.0/16, and if you "tell my traffic that to go
> 
> to 150.216/16 go out our broadband connection not our hospital gateway",
This is from network B, which the university can not get to anyway.
Network A is allowed to the university, and the university is routing to
Network A
> 
> then of course things won't be very fast when talking back to those 
> users from the university who are connecting through the hospital.  
> Somehow I think you're asking for a sub-portion of your traffic to do 
> this, but you don't describe which portion, so I can't formulate a 
> confident answer.
What I think I really want is: if src = network A then access 150.216/16
via the hospital connection, if src = network B then access it via
broadband connection. 
[cgb at router ~]$ cat routes | grep 150.216
BRODY="150.216.0.0/16"
/sbin/ip r add 150.216.17.14 via $DEFAULTGW  # added to allow www.ecu.edu
[cgb at router ~]$ cat routes | grep BRO
BRODY="150.216.0.0/16"
/sbin/ip r add $BRODY via $HOSPITALGW
[cgb at router ~]$

> 
> - A simple route is all you need
> Disregarding the above point, to do what you're really asking, all you 
> need is a simple route like this:
> route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254
> Although, if that's your default gateway, unless there some other 
> more-specific route that overrides it, that should be the default 
> behavior?  I suspect though, as mentioned above, this isn't really what 
> you're asking.
> 
> - What do you mean "what I want to do is via command line, not a table, 
> tell my traffic that"
> Policy routing is enabled via "rules" created by the `ip` command which 
> shunt traffic to specific route "tables", also setup via `ip`.  That's 
> simply how it's implemented.  You build these alternate route tables 
> from the command line, with successive commands.  You can optionally 
> attach particular text tags to them via config files, but that's not 
> particularly required if you'd prefer to stick to simple straight 
> commands.  I'm going to go out on a limb here, and think you probably 
> want to route the traffic from Network A differently from how you route 
> the traffic from Network B.  Generally, Network B is routed how you want
> 
> to route most traffic, so I'll propose a config that just makes a small 
> change to the route taken by traffic flowing *from* A *to* University.  
> Something like this might serve your needs:
> # ip rule add from 150.216.0.0/16 table 100
> # ip route add default gw 10.254.254.254 table 100
This is where I get confused, I have seen many references to table and the
rt_tables but I have seen a clear cut answer to what I need to do, right
now it seems to get this fixed asap is to ping my 2 networks at different
routers and have different routing tables on each router, I know this is
wrong but I can't seem to figure out how to say something like ip route
src  $networkA to 150.216/16 via $hospitalgw, all other network should
access the university via the default gateway.
> 
> This effectively says, for all traffic coming from 150.216.0.0/16, use 
> routing table 100, instead of the "main" routing table.  And then 
> includes a single default route for that table, which shunts traffic to 
> 10.254.254.254.  If this isn't what you had in mind, provide a little 
> more info and I'll see if I can point you in the right direction.  I 
> should mention you need to have the appropriate advanced routing and 
> policy routing bits enabled in your kernel for this to work.  Most 
> modern distros do have this enabled.
> 
> Aaron S. Joyner
> Policy-routing-wonk
> 
> 
> >University = 150.216.x.x
> >network A = 10.1.x.x
> >network B = 10.2.x.x
> >hospital gw = 10.254.254.254
> >office Internet gw = 10.2.x.254
> >The university needs access to network A, network A never needs to
> access
> >the internet only the university,
> >network B needs to access the university but can not access it through
> the
> >hospital due to firewall rules, it can only access it though my office
> >internet gateway.
> >Regards,
> >Chris
> >
> >
> > 
>
>____________________________________________________________________________________
> >Do you Yahoo!?
> >Everyone is raving about the all-new Yahoo! Mail beta.
> >http://new.mail.yahoo.com
> >  
> >
> 
> -- 
> TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> 



 
____________________________________________________________________________________
Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com