[TriLUG] policy based routing with linux

Aaron S. Joyner aaron at joyner.ws
Tue Nov 14 03:03:24 EST 2006 

Chris Bullock wrote:

>We have a fairly static network with about 8 subnets and roughly 5
>different points of access to the outside world.  We are using a Linux PC
>full of nics and doing strictly static routing.  We have an application
>that the university needs access to at fiber speed, the hospital has
>access to the university and we have access to the hospital, so therefore
>we are routing to the university through the hospital (university <-->
>hospital <--> our office.  Long story short we have asked the hospital to
>somewhat protect us from the university by implementing ACLs on their PIX,
>this gives the university access to our services but blocks my users from
>hitting the university's services since my router points all university
>traffic through the hospital.  Now my question, I have tried to understand
>the policy routing built into Linux but keep beating my head against the
>wall due to my lack of brains.  Here is what I have, I have a macro I run
>that has all my static routes listed, what I want to do is via command
>line, not a table, tell my traffic that to go to 150.216/16 go out our
>broadband connection not our hospital gateway.
>  
>
Three observations here:
- What you're asking for means the traffic doesn't go fast...
The university is 150.216.0.0/16, and if you "tell my traffic that to go 
to 150.216/16 go out our broadband connection not our hospital gateway", 
then of course things won't be very fast when talking back to those 
users from the university who are connecting through the hospital.  
Somehow I think you're asking for a sub-portion of your traffic to do 
this, but you don't describe which portion, so I can't formulate a 
confident answer.

- A simple route is all you need
Disregarding the above point, to do what you're really asking, all you 
need is a simple route like this:
route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254
Although, if that's your default gateway, unless there some other 
more-specific route that overrides it, that should be the default 
behavior?  I suspect though, as mentioned above, this isn't really what 
you're asking.

- What do you mean "what I want to do is via command line, not a table, 
tell my traffic that"
Policy routing is enabled via "rules" created by the `ip` command which 
shunt traffic to specific route "tables", also setup via `ip`.  That's 
simply how it's implemented.  You build these alternate route tables 
from the command line, with successive commands.  You can optionally 
attach particular text tags to them via config files, but that's not 
particularly required if you'd prefer to stick to simple straight 
commands.  I'm going to go out on a limb here, and think you probably 
want to route the traffic from Network A differently from how you route 
the traffic from Network B.  Generally, Network B is routed how you want 
to route most traffic, so I'll propose a config that just makes a small 
change to the route taken by traffic flowing *from* A *to* University.  
Something like this might serve your needs:
# ip rule add from 150.216.0.0/16 table 100
# ip route add default gw 10.254.254.254 table 100

This effectively says, for all traffic coming from 150.216.0.0/16, use 
routing table 100, instead of the "main" routing table.  And then 
includes a single default route for that table, which shunts traffic to 
10.254.254.254.  If this isn't what you had in mind, provide a little 
more info and I'll see if I can point you in the right direction.  I 
should mention you need to have the appropriate advanced routing and 
policy routing bits enabled in your kernel for this to work.  Most 
modern distros do have this enabled.

Aaron S. Joyner
Policy-routing-wonk


>University = 150.216.x.x
>network A = 10.1.x.x
>network B = 10.2.x.x
>hospital gw = 10.254.254.254
>office Internet gw = 10.2.x.254
>The university needs access to network A, network A never needs to access
>the internet only the university,
>network B needs to access the university but can not access it through the
>hospital due to firewall rules, it can only access it though my office
>internet gateway.
>Regards,
>Chris
>
>
> 
>____________________________________________________________________________________
>Do you Yahoo!?
>Everyone is raving about the all-new Yahoo! Mail beta.
>http://new.mail.yahoo.com
>  
>

More information about the TriLUG mailing list