Policy based routing (source based routing):
Note- this should apply to all flavors of Linux
Scenario: The default router is 1.1.1.2 however, a second router (1.1.1.3) should be used for all
traffic from internal network 10.0.0.0/24.
In this example :
fw IP -1.1.1.1.
Router 1- 1.1.1.2
Router2- 1.1.1.3
Internal net-10.0.0.0/24
DMZ net- 192.168.0.0/24
Commands:
View the route table names
cat /etc/iproute2/rt_tables
[Expert@Demo]# cat /etc/iproute2/rt_tables
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
22 Verizon
The number above (22) represents the priority number of that table. Therefore this table will be read before the main table, which is the table that is modified when the "route add" command is used.
Add a link for the second router:
echo "23 adsl" /etc/iproute2/rt_tables
Define the traffic that will use this link:
ip rule add from 10.0.0.0/24 table adsl
Specify the gateway address for this the table:
ip route add default via 1.1.1.3 dev eth0 table adsl
Since the access to the DMZ will not go through router2, add another route for DMZ access
via its interface
ip route 192.168.0.0/24 dev eth0 table adsl
Make these changes active.
ip route flush cache
These changes are not retained after a reboot. Therefore add the following lines
to the rc.local file (/etc/rc.local )
ip rule add from 10.0.0.0/24 table adsl
ip route add default via 1.1.1.3 dev eth0 table adsl
ip route add 192.168.0.0/24 dev eth2 table adsl
ip route flush cache
Alternatively rules can be added that specify a source and destination network.
ip rule add from 10.0.0.0/24 to 209.134.190.0/23 table adsl
Limits:
Linux supports a max of 252 tables
Checkpoint does not support source or policy based routing
Troubleshooting:
netstat -rn does not show source routes.
To view source routes:
cat /etc/iproute2/rt_tables
To view the tables
ip route list table
To view the routes
This command does not take into account whether the gateway is active.
No comments:
Post a Comment