Policy based routing is actually an act of having a multiple routing table in a single machine. Normally, it is used when involving different routes and gateways.
Your kernel must be ready compiled with IP Advanced Router and IP Policy Routing in order to use this features.
To show the ip rule
# /sbin/ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
To show the main routing table
# /sbin/ip route list table main
203.158.11.16/29 dev eth2 proto kernel scope link src 203.158.11.17
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254
10.100.100.0/24 dev eth1 proto kernel scope link src 10.100.100.2
default via 203.158.11.22 dev eth2
The above shown, main table is actually refers to the main routing table when you type /sbin/ip route, whereas the local and default table is a new one.
The first rule specifies that any packet from any where should first be matched against routes in the local routing table.The local routing table is for broadcast addresses on link layers, network address translation, and locally hosted IP addresses.
When a packet that bound for x.x.x.x IP address
- The packet that bound for x.x.x.x would first pass thru the local routing table.
- If there is no a local hosted IP address, it would look the main routing table to select a destination route.
- If there is no host nor network match for this destination, thus the packet will match the default route in the main routing table.
To add a new table
# /sbin/ip route add 192.168.1.0/24 via 192.168.0.254 table 200
# /sbin/ip route add default via 10.100.100.1 table 200
To apply a rule to the newly added table 200
It means all the traffic from 192.168.0.0/26 will be routed via routing table 200
# /sbin/ip rule add from 192.168.0.0/26 table 200
# /sbin/ip route flush cache
*** Remember to flush the routing table cache ***
Therefore, you may have the followings results when you show your ip rules :
# /sbin/ip rule show
0: from all lookup local
32765: from 192.168.0.0/26 lookup 300
32766: from all lookup main
32767: from all lookup default
To delete a ip rule
# /sbin/ip rule del from 192.168.0.0/26 table 200
# /sbin/ip route flush cache
*** Remember to flush the routing table cache ***
It is quite troublesome if you need to type so many lines each and everytime the system is booted, thus you can actually put in a scripts. Below is some sample scripts :
#!/bin/sh
/sbin/ip route flush table 200
# Copy main routing table to 200
/sbin/ip route list table main |while read ROUTE ; do /sbin/ip route add table 200 $ROUTE ; done
/sbin/ip route replace default via 10.100.100.1 table 200
/sbin/ip rul add from 192.168.0.0/26 table 200
/sbin/ip route flush cache
Some other useful ip rule commands :
To change the preferences of the routing table
# /sbin/ip ru add from 192.168.0.0/26 pref 3500 table 200
0: from all lookup local3500 : from 192.168.0.0/26 lookup 300
32766: from all lookup main
32767: from all lookup default
To create a NAT rule with ip rule
# /sbin/ip ru add nat 203.158.11.20 from 192.168.0.188
0: from all lookup local
3500 : from 192.168.0.0/26 lookup 300
32765: from 192.168.0.188 lookup main map-to 203.158.11.20
32766: from all lookup main
32767: from all lookup default
Usage: ip rule [ list | add | del | flush ] SELECTOR ACTION
SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK ]
[ dev STRING ] [ pref NUMBER ] [ prio NUMBER ]
ACTION := [ table TABLE_ID ]
[ prohibit | reject | unreachable ]
[ realms [SRCREALM/]DSTREALM ]
TABLE_ID := [ local | main | default | NUMBER ]
No comments:
Post a Comment