[TriLUG] policy based routing with linux

Aaron S. Joyner aaron at joyner.ws
Tue Nov 14 10:19:09 EST 2006 

Chris Bullock wrote:

>--- "Aaron S. Joyner" <aaron at joyner.ws> wrote:
>
>  
>
>>Chris Bullock wrote:
>>
>>    
>>
>>>We have a fairly static network with about 8 subnets and roughly 5
>>>different points of access to the outside world.  We are using a Linux
>>>      
>>>
>>PC
>>    
>>
>>>full of nics and doing strictly static routing.  We have an application
>>>that the university needs access to at fiber speed, the hospital has
>>>access to the university and we have access to the hospital, so
>>>      
>>>
>>therefore
>>    
>>
>>>we are routing to the university through the hospital (university <-->
>>>hospital <--> our office.  Long story short we have asked the hospital
>>>      
>>>
>>to
>>    
>>
>>>somewhat protect us from the university by implementing ACLs on their
>>>      
>>>
>>PIX,
>>    
>>
>>>this gives the university access to our services but blocks my users
>>>      
>>>
>>from
>>    
>>
>>>hitting the university's services since my router points all university
>>>traffic through the hospital.  Now my question, I have tried to
>>>      
>>>
>>understand
>>    
>>
>>>the policy routing built into Linux but keep beating my head against
>>>      
>>>
>>the
>>    
>>
>>>wall due to my lack of brains.  Here is what I have, I have a macro I
>>>      
>>>
>>run
>>    
>>
>>>that has all my static routes listed, what I want to do is via command
>>>line, not a table, tell my traffic that to go to 150.216/16 go out our
>>>broadband connection not our hospital gateway.
>>> 
>>>
>>>      
>>>
>>Three observations here:
>>- What you're asking for means the traffic doesn't go fast...
>>The university is 150.216.0.0/16, and if you "tell my traffic that to go
>>
>>to 150.216/16 go out our broadband connection not our hospital gateway",
>>    
>>
>This is from network B, which the university can not get to anyway.
>Network A is allowed to the university, and the university is routing to
>Network A
>  
>
>>then of course things won't be very fast when talking back to those 
>>users from the university who are connecting through the hospital.  
>>Somehow I think you're asking for a sub-portion of your traffic to do 
>>this, but you don't describe which portion, so I can't formulate a 
>>confident answer.
>>    
>>
>What I think I really want is: if src = network A then access 150.216/16
>via the hospital connection, if src = network B then access it via
>broadband connection. 
>[cgb at router ~]$ cat routes | grep 150.216
>BRODY="150.216.0.0/16"
>/sbin/ip r add 150.216.17.14 via $DEFAULTGW  # added to allow www.ecu.edu
>[cgb at router ~]$ cat routes | grep BRO
>BRODY="150.216.0.0/16"
>/sbin/ip r add $BRODY via $HOSPITALGW
>[cgb at router ~]$
>
>  
>
>>- A simple route is all you need
>>Disregarding the above point, to do what you're really asking, all you 
>>need is a simple route like this:
>>route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254
>>Although, if that's your default gateway, unless there some other 
>>more-specific route that overrides it, that should be the default 
>>behavior?  I suspect though, as mentioned above, this isn't really what 
>>you're asking.
>>
>>- What do you mean "what I want to do is via command line, not a table, 
>>tell my traffic that"
>>Policy routing is enabled via "rules" created by the `ip` command which 
>>shunt traffic to specific route "tables", also setup via `ip`.  That's 
>>simply how it's implemented.  You build these alternate route tables 
>>from the command line, with successive commands.  You can optionally 
>>attach particular text tags to them via config files, but that's not 
>>particularly required if you'd prefer to stick to simple straight 
>>commands.  I'm going to go out on a limb here, and think you probably 
>>want to route the traffic from Network A differently from how you route 
>>the traffic from Network B.  Generally, Network B is routed how you want
>>
>>to route most traffic, so I'll propose a config that just makes a small 
>>change to the route taken by traffic flowing *from* A *to* University.  
>>Something like this might serve your needs:
>># ip rule add from 150.216.0.0/16 table 100
>># ip route add default gw 10.254.254.254 table 100
>>    
>>
>This is where I get confused, I have seen many references to table and the
>rt_tables but I have seen a clear cut answer to what I need to do, right
>now it seems to get this fixed asap is to ping my 2 networks at different
>routers and have different routing tables on each router, I know this is
>wrong but I can't seem to figure out how to say something like ip route
>src  $networkA to 150.216/16 via $hospitalgw, all other network should
>access the university via the default gateway.
>  
>
>>This effectively says, for all traffic coming from 150.216.0.0/16, use 
>>routing table 100, instead of the "main" routing table.  And then 
>>includes a single default route for that table, which shunts traffic to 
>>10.254.254.254.
>>
So upon re-reading my example this morning, I realized an error.  It
should have read like this, and now with your additional response I'll
substitute in your variables for simplicity:
# ip rule add from $NETWORKA table 100
# ip route add 15.216.0.0/16 via $HOSPITALGW table 100
# ip route add default gw $NORMALDEFAULTGW table 100

It now does what I described in the paragraph immediately preceding, and
then some, which is what I think you want to have happen.  Traffic from
$NETWORKA has it's own routing table, which you can modify by appending
'table 100' to your 'ip route' commands.  The packets from $NETWORKA are
told to use table 100 for routing, instead of the typical 'main' routing
table, by the first 'ip rule' command.  Unfortunately, I don't know if I
can make it more clear than the above, but let me know if it's still not
clear and I'll see if I can explain it some other way.  :)

Aaron S. Joyner

More information about the TriLUG mailing list