BY
Everywhere
Original Author: Matthew G. Marsh original source: http: //www.sysadminmag.com/linux/articles/v09/i01/a3.htm compilation: ideal traditional routing algorithms currently used in computer networks are based on IP packet The destination address is routing. However, there is often such a need in reality applications: not only according to the destination address of the datagram, but according to the other features of the datagram, such as: source address, IP protocol, transport layer port, Even the load part of the packet, this type of routing is called a policy-based route. In Linux, starting from the 2.1 version of the kernel is implemented for strategy-based routing, which is implemented by replacing the traditional, destination-based routing table by using the routing policy database (RPDB, Routing Policy Database). RPDB selects the appropriate IP route by including some rules. These rules may contain many different types of numerical values (KEY), so these rules do not have a default specific order, rule lookup order or rule priority is set by the network or system administrator. Linux's RPDB is a list of linear rules that are sorted by digital priority values. RPDB can match data source addresses, destination addresses, TOS, entry and fwmark values. Each routing policy rule consists of a selector and an action indication. RPDB is scanned in the order of priority increment, and the selector of each rule containing the RPDB is applied to the source address, destination address, entry interface, TOS, and FWMark values. If the datagram matches the rule, it corresponds to the action of the rule. If the action is successfully returned, the rule output will be a valid route or a routing failure indication; otherwise look up the next rule of RPDB. What actions do you perform when the selector and a datagram match success? The standard action of routing software is generally selected to select the next hop address and output interface, which may be called "Match & Settings" type. However, Linux has adopted a more flexible way, there are multiple actions available in Linux. The default action is to query a specific route table based on a specific destination address. Therefore, "Match & Settings" action becomes the easiest way of Linux routing. Linux supports multiple routing tables, each routing table contains multiple routing information. That is, each routing table of Linux is equivalent to system routing tables for other operating systems. Linux supports up to 255 routing tables. (Linux 2.2.12 support 255 routing tables, 255 exchange gauges, and 232 policy rules priorities (4294967296 Decimal). For Linux2.1 / 2.2, the kernel will contain a default RPDB consisting of three policy rules, One way to view these default rules is to use commands to list all rules of the system: root @ netmonster ip rule list
0: from all lookup local
32766: From all lookup main
32767: From all lookup default
The following default rules are very important to start complex routing systems for understanding. The first is the highest level priority rule, the rule policy 0: Rules 0: Priority 0 selector = Match any Data report action = Taken the local routing table (Routing Table Local), ID 255. The LOCAL table is to retain the routing table, including routes to the local and broadcast addresses. Rule 0 is a special rule that cannot be deleted or modified. Rule 32766: Priority 32766 selector = Match all Data reports = view the main route table (Routing Table Main), ID 254. The main routing table is the default standard routing table that contains all non-policy routing, and the main table is the route created by the old route command (route command). And any routes that are not explicitly specified by the IP Route command are added to the routing table. This rule cannot be deleted and covered by other rules. Rule 32767: Priority 32767 Selector = Match All Data Reports = View the default routing table (Routing Table Default), ID is 253. The DEFAULT routing table is empty, reserved for the last processing, if the previous default rule does not select the data report, reserves the last process. This rule can be deleted. Do not confuse routing tables and rules, the rules are to the routing table. Multiple rules may appear to the same routing table, and some routing tables may not be pointed out of any rules. If all rules pointing to a routing table is deleted, the table will not act, but the table will still exist. A routing table will only disappear only all routing information contained therein. As mentioned earlier, the action corresponding to the Linux policy rule can be several different actions in addition to a routing table. When creating a policy rule, there is an action like the following types: Unicast - Standard routing in the routing table pointed to by this rule. This is the default action when a routing table is specified. Blackhole - Rule action will only discard the datagram directly. UNREACHABLE - Rule action generates a network unreachable error message, one type 3, ICMP message having code 0 is returned to the sender. Prohibit - Rule action generates an error message that is disabled, one type 3, the ICMP message of code 13 is returned to the sender. Other types of movements can also be used, but they have no relationship with policy routing. They are used to implement other advanced stream control and datagram operations in the kernel. Because there is only one tool command: IP, all of these types can be used for this command, but we only use the part related to the above, can be returned to a route or several other actions. Before explaining the example, first look at the syntax of the IP tool command. The IP command can be used in many places, here only discussions and strategy routing are related. They are all running directly by root in the command line. First, look at the IP addr command syntax: root @ netmonster # ip addr helpusage: IP addr {add | del} ifaddr dev string
IP addr {show | flush} [dev string] [scope scope-id]
[To prefix] [flag-list] [label pattern]
IFaddr: = prefix | addr peer prefix
[Broadcast Addr] [Anycast Addr]
[Label String] [Scope Scope-id]
Scope-id: = [Host | LINK | GLOBAL | Number] flag-list: = [Flag-list] flag
Flag: = [Permanent | Dynamic | Secondary | PRIMARY |
Tentative | DepRecated]
Example - IP Addr Add 192.168.1.1/24 dev eth0
This command will add IP address 192.168.2.2/24 to the Eth0 network card. Let's take a look at the ip route command: root @ netmonster # ip route Help
Usage: ip route {list | flush} selector
IP Route Get Address [from address iif string]
[Oif String] [TOS TOS]
IP Route {Add | Del | Replace | Change | Append | Replace |
Monitor} Route
Selector: = [root prefix] [match prefix] [exact prefix]
[Table Table_ID] [Proto RtProto]
[Type Type] [Scope Scope]
Route: = node_spec [info_spec]
Node_spec: = [Type] prefix [TOS TOS]
[Table Table_ID] [Proto RtProto]
[Scope Scope] [METRIC Metric]
INFO_SPEC: = NH OPTIONS flags [nextop nh] ...
NH: = [via address] [dev string] [Weight Number] NHFLAGS
Options: = flags [mtu number] [AdvMss Number]
[RTT Number] [RTTVAR Number]
[WINDOW NUMBER] [CWND Number] [SSTHRESH REALM]
[Realms Realm]
TYPE: = [Unicast | local | Broadcast | Multicast | throw |
Unreachable | Prohibit | Blackhole | NAT]
Table_ID: = [local | main | default | all | number]
Scope: = [Host | LINK | GLOBAL | NUMBER]
Flags: = [Equalize]
Nhflags: = [OnLink | Pervasive]
RtProto: = [kernel | Boot | static | Number]
Example - IP Route Add 192.168.2.0/24 Via 192.168.1.254
This example will add a route through 192.168.1.254 to network 192.168.2.0/24. Finally, look at the ip rule command: root @ netmonster # ip rule help
USAGE: IP Rule [list | add | Del] Selector Action
Selector: = [from prefix] [to prefix] [TOS TOS] [fwmark fwmark]
[Dev string] [pref number] action: = [Table Table_ID] [NAT Address]
[Prohibit | Reject | unreachable]
[Realms [srcRealm /] DSTREALM]
Table_ID: = [local | main | default | number]
Example - IP Rule Add from 192.168.2.0/24 prio 32777 reject
This command will drop the source address belonging to all datagrams of the 192.168.2.0/24 network. After discussing the command syntax, the following is some examples of the above command. Example 1: Refusal to access the Internet Assume that there is a firewall to connect to the local LAN and the Internet, you want to prohibit one subnet from the LAN access Internet. Of course, this can be implemented through the Linux datagram. But we will introduce another implementation method. First we have to assume the following network configuration: internal network address 192.168.0.0/16 Refused access to subnet 192.168.2.0/24 Current main routing table (Routing Table Main, Table 254): root @ netmonster # ip route List Table 254
Default via 192.168.254.254 dev eth0 protoci
Next, a policy routing rule will be created for this subnet: IP rule address from 192.168.2.0/24 priority 5000 Prohibit
Any datagram from 192.168.2.0/24 subnet will get an ICMP message having a type 3, code 13, and the datagram will be discarded. It should be noted that if you run any of these commands, you need to send the "IP Route Flush Cache" command to refresh the routing buffer, otherwise the command will take effect after a period of time, and the length of this time relies on the size and load of the routing table structure. Put the commands you need on the above example as follows: IP Rule Del Priority 5000
IP rule add from 192.168.2.0/24 priority 5000 prohibit
IP Route Flush Cache
This command stream is first deleted to delete the 5000 rule to ensure that the current system does not have this rule and then add a new 5000 rule. If the system does not have a rule of 5000, an error message will be returned. Then add the 5000 rule and reset the RPDB by emptying the routing cache, the new rule will work immediately. Multi-rouge tables and IP addresses In order to fully understand the use of policy routing, you need to learn to use Linux multifunction tables and IP addresses, which include multiple aspects of knowledge, which will be described below by example. When you get an IP tool, you may notice that there is a subdirectory called ETC in the release, where there is a subdirectory named iProute2. You should copy the subdirectory to / etc directory or create an iProute2 subdirectory in the / etc directory. This directory contains files for naming the routing table and the policy routing structure. Create an RT_TABLES file in this directory, where sample files typically have some content and provide an example name for routing table 1. Next, you first edit the file to create a table that is used in the example below: # reserved Values
#
255 local
254 main
253 Default
0 UNSPEC
#
# Local
#
1 goodnet1
2 goodnet2
3 Badnet1
4 Badnet2
5 Internet
You can see that you can use a table digital ID or table name to reference the routing table by nameting the routing table. For example, the following two commands will operate on the same routing table: IP Route List Table 1
IP Route List Table Goodnet1
Can better understand which routing table can be operated by a table name. Example 2: Creating multiple routing tables If the RT_TABLE information as shown above is created, you can look at the contents of each routing table by the following command: IP Route List Table
Of course, even if the RT_Table file can also be used to reference all 0-255 routing tables because they all exist, most of them have no routing information data. Table 1 is defined as GoodNet1 through the RT_TABLE file in the example above. The following example is to add a routing to each routing table of the defined: IP Route Add 10.10.10.0/24 Via 192.168.1.2 Table Goodnet1
IP Route Add 10.10.11.0/24 Via 192.168.1.2 Table Goodnet2
IP Route Add 10.10.12.0/24 Via 192.168.1.2 Table Badnet1
IP Route Add 10.10.13.0/24 Via 192.168.1.2 Table Badnet1
IP Route Add Default Via 192.168.1.254 Table Internet
Then via the IP Rouite List Talbe
192.168.1.128
192.168.3.1
When you add two addresses of 192.168.1.0/24, you need to turn off automatic routing and allow automatic routing to add functions to 192.168.3.0/24. IP Addr Add 192.168.1.1/32 dev eth0
IP Addr Add 192.168.1.128/32 dev eth0
IP Addr Add 192.168.3.1/24 dev eth0
At this time, if the primary routing table will find the kernel to add a routing table for the network 192.168.3.0/24, not to add routes for the network 192.168.1.0/24. You can check all the IP address information of the system via the ip addr command: root @ netmonster # ip addr
1: LO:
Link / loopBack 00: 00: 00: 00: 00: 00: 00: 00: 00: 00:
INET 127.0.0.1/8 BRD 127.255.255.255 Scope host LO
2: Eth0:
inet 192.168.1.1/32 scope global eth0
inet 192.168.1.128/32 scope global eth0
inet 192.168.3.1/24 scope global eth0
Below we will discuss several more complex examples. Example 4: Multi-rouge table and IP address Linux kernel routing code The most powerful feature is based on policy-based routing and use multiplexes, and uses a combination of multifunction tables. The following example discussed a system that acts as a router three different networks. Refer to the picture starting with the article, you can see that the external interface of the core system is connected to three external networks. Each network has its own router and its own IP address space. However, the two address spaces are overlapping, thus increasing the complexity of the situation. Here we set the routing table of the following rules to implement interconnection:
Data streams from any internal network to IneTent are allowed. The data stream from the internal network B to the network A is allowed. The data stream from the internal network A to the network C is allowed. The host of the internal network A is 33-62, allows access to network A. The address of the internal network B is 65-78 allows access to the network C. First, configure two external IP addresses - two addresses in DMZ Ethernet interface Eth0: IP Addr Add 10.254.254.2/30 dev eth0
IP addr add 172.17.1.128/24 dev eth0
The next step will discuss which routing tables, the best way to solve this problem is to think that the policy-based route can implement which routing table according to the source address. The policy rule has the ability to divide the internal network, so you can first add a purpose-based route in the routing table. In the example, we will use the new routing table created in front. The following method is to clarify the steps that should be taken when adding a route in the routing table. Suppose you are configured with only two routers, the outer interface directly connects the Interet outlet router, and the inner interface directly connects the internal network. Configuring such a router is very simple, to illustrate us to operate here: IP route add 10.10.0.0/16 via 10.254.254.2 Table Goodnet1 Proto Static
IP Route Add Default Via 172.17.1.254 Table Goodnet1 Protoc
Configuration for Goodnet2 is: IP Route Add 172.18.0.0.0/16 via 172.17.1.1 Table Goodnet2 Proto Static
IP Route Add Default Via 172.17.1.254 Table Goodnet2 Proto Static
It can be seen that only two routing tables for three target networks are required, where the default route to the Internet is set in two tables. Why not store the default route in the third routing table? First, the interaction between rules and routing tables should be taken into account, and the rules are implementing the definition of policy routing. Multi-rules can point to the same routing table. However, once it enters a routing table, it can only be matched or returned to a routing chain. If you match a rule, you think that you already have a correct policy match, the routing table indicted by the rule contains all routes that the datagram is all possible. If there are three routing tables, you need to add a rule to check the data report. Check the data report destination address is the function of standard routing. Why do you need a rule for each source, a combination of purpose? By using a routing table, you can achieve a definition as little rule to achieve the purpose. Of course, the flexibility of the system allows such routes to be implemented by multiple methods. It can be determined according to your own preferences. The most suitable: IP rule add from 192.168.1.0.27 to 172.18.0.0/16 pref 15000 Table GoodNet1ip Rule Add from 192.168.2.64/28 to 10.10.0.0/16 pref 15001 TABLE Goodnet2
IP rule add from 192.168.1.0/24 pref 15002 Table Goodnet1
IP rule add from 192.168.2.0/24 pref 15003 Table Goodnet2
The above example uses the priority parameter setting to define the order of the datagram matching rule. Now let's see what happens when a datagram has passed from the internal network. First, it will be checked by a rule of 5 having a priority; then the priority is 15,000 rules, if the match is operated by the GOODNET1 routing table, otherwise, the rules of 15001, 15002, 15003 will be passed. It will definitely be matched by a few rules of 15000-15003. Here's in order to illustrate the flexibility of the defined routing structure, we will solve this problem from another angle. The details of the Linux router are as follows: Eth0 - DMZ Ethernet - Addresses: 10.254.254.2/30, 172.17.1.128/24
Eth1 - Internal A - Addresses: 192.168.1.254/24
Eth2 - INTERNAL B - Addresses: 192.168.2.254/24
First, assume that the restart will redefine the routing and rules, first edit / etc / iproute2 / rt_tables: # reserved Values
#
255 local
254 main
253 Default
0 UNSPEC
#
# Local Tables
#
1 INT1
2 INT2
Create routing and rules: IP Route Add 10.10.0.0/16 Via 10.254.254.1 Table Int1 Proto Static
IP Route Add throw 0/0 Table INT1 Proto Static
IP Route Add 172.18.0.0.0/16 via 172.17.1.1 Table Int2 proto static
IP Route Add throw 0/0 Table Int2 Proto Static
IP Route Add 0/0 Via 172.17.1.254 Table Main Proto Static
IP rule add pref 15000 Table INT1 IIF Eth1
IP rule add pref 15001 Table INT2 IIF Eth2
IP rule add pref 15002 to 10.10.0.0.0.0.0.0.0/16 TO 172.18.0.0/16 TABLE INT2
These routes and regulations implementation as in the previous example (carefully studying these rules and routing and understanding them) Using IPChains to implement a high-level policy routing that can be used when specifying a policy rule is allowed to match a rule via the fwmark value. FWMark is a digital tag that ipchains can attach the fwmark value to a datiff. If you are not very familiar with Ipchains, you need to first read ipchains-howto. Example 5: Simple FWMard-based policy routing first starting from a simple example - utilizing the multifunction table in the example above, want to implement from internal network B Data of the destination port is 80 is sent to the Internet, but data from the internal network A, the destination port is 80 is prohibited. First empty these routings: IP Route Flush Table Goodnet1
IP Route Flush Table Goodnet2
IP Route Flush Table Badnet1
IP Route Flush Table Badnet2
IP Route Flush Table Internet
IP Route Flush Cache
The method of currently deleting the policy rule is to list one by one and then manually delete it, that is, first listed the policy rule through the ip rule list command and use IP Rule Del Priority <#> to delete it. But here is assumed that there is no rules currently and the routing table is empty. In order to use the FWMark tag, you should first specify the datagram that you want to use IPChains, then use the tag value to specify a policy rule to process the datagram. You should set ipchians to automatically turn the decimal markers into hexadecimal. IP rule hopes to enter a sixteen value. First configure IPChains rules to use the appropriate value to mark the input datagram. Suppose there is no other firewall rule: ipchains -i input -p tcp -s 192.168.2.0/24 -d 0/0 80 -M 2
Ipchains -i INPUT -P TCP -S 192.168.1.0/24 -D 0/0 80 -M 16
The policy rule is now set, and the tag value of the internal network A is the 16th machine. The relevant policy (should notice the use of hexadecimal in the policy definition, so 10): IP rule add fwmark 2 Table Goodnet1
IP Rule Add fwmark 10 Prohibit
Finally, the routing table Goodnet1 is defined as follows: IP Route Add Default Via 172.17.1.254 Table Goodnet1
A common problem with policy routing is how to interact between policy routing and IP camouflage, where we do not perform in-depth research on this problem but through a quick example. It should be noted that the routing table is queried before the forwarding chain. This means that if IP camouflage is used, any source address returned by the routing selector will be used as an address for IP camouflage. Example 6: IP camouflage of the IP address uses the above network configuration, I will give the connection to the three networks to create, I hope to get the following output from the system:
Dartment from internal network A to network C is pretended to 10.254.254.2 Data report from internal network B to network A is cured to 172.17.1.2 Internal Net to the Internet Data News is pretended to be 172.17.1.128 Eth0 configuration is as follows Address: 10.254.254.2/30
172.17.1.128/24
Therefore, in order to satisfy the condition 2, add an address to the ETH0: IP Addr Add 172.17.1.2/32 Dev Eth0 Assumption System is set to perform IP camouflage for all output datagrams. First empty the old policy rules, then create new rules as follows: IP Route add 10.10.0.0/16 Via 10.254.254.2 SRC 10.254.254.2
Table Goodnet1 Proto Static
IP Route Add Default Via 172.17.1.254 SRC 172.17.1.128
Table Goodnet1 Proto Static
IP Route Add 172.18.0.0/16 Via 172.17.1.1 SRC 172.17.1.2
Table Goodnet2 Proto Static
IP Route Add Default Via 172.17.1.254 SRC 172.17.1.128
Table Goodnet2 Proto Static
IP rule add from 192.168.1.0/24 pref 15000 table goodnet2
IP rule add from 192.168.2.0/24 pref 15001 Table Goodnet1
Example 7: Comprehensive instance hypothesis The routes, rules and addresses in Example 6 are still playing, I hope to achieve the following needs:
Internal a hosts 33-62 to network a masq as 172.17.1.3 Internal a hosts 65-78 to TCP port 80 on network a masq as 172.17.1.4 Internal b Hosts 33-62 to TCP Port 80 On Network a deny access in Engnal B Hosts 65-78 To TCP Port 80 on NetWork C Masq as 10.254.254.2 Should remember that we still allow the connection in Example 6, below the solution: IP addr add 172.17.1.32 dev eth0
IP Addr Add 172.17.1.4/32 dev eth0
IP Route del default Table Goodnet1
IP Route del default Table Goodnet2
IP Route Add throw 0/0 Table Goodnet1 Proto Static
IP Route Add throw 0/0 Table Goodnet2 Proto Static
IP Route Add Default Via 172.17.1.254 SRC 172.17.1.128
Table Internet Proto Static
IP Route Add 172.18.0.0/16 Via 172.17.1.1 SRC 172.17.1.3
Table Badnet1 Proto Static
IP Route Add 172.18.0.0/16 via 172.17.1.1 src 172.17.1.4
Table Badnet2 Proto Static
Ip rule add from 192.168.1.0.0.0/16 pref 14999 Table Badnet1
IP rule add fwmark 1 pref 14998 Table Badnet2
IP rule add fwmark 2 pref 14997 Table Goodnet1
IP rule add fwmark 3 pref 14996 Blackhole
IP Rule Add Pref 15003 Table Internet
Ipchains -i INPUT -P TCP -S 192.168.1.64/28 -M162.18.0.0/16 80 -M1IPChains -i Input -P TCP -S 192.168.2.64/28 -D 10.10.0.0/16 80 -M 2
Ipchains -i INPUT -P TCP -S 192.168.2.32/27 -D 172.18.0.0/16 80 -M 3
There are actually a lot of effective methods, but although the table named Badnet1 and Badnet2 is used here, the name is not practical, just to reference the symbols of Table 3 and Table 4. Summary I hope that you can enjoy Linux2.2's powerful route feature through this article. The routing function provided is that many router products are difficult to match. If you consider it free, its performance price is more than any product. compared to. For example, the example in Example 7 can be well operated on a machine with only 16M memory.
