dcsimg

Tunnels, Routes and Rules: They're Easier with iproute2 - Page 2

 By Carla Schroder | Posted Jun 14, 2005
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article

WEBINAR:
On-Demand

Beyond the Deadline: How GDPR Will Impact Your Company's Risk and Security Profile


Continued From Page 1

Policy Rules
This is where iproute2 really shines. Using policy rules lets you route packets in a number of useful ways. (Adding iptables to the brew lets you slice and dice your traffic to the point of obsession, which is a fun topic for another day.)

iproute2 lets you match packets on the following fields:

  • packet source address
  • packet destination address
  • TOS (type of service)
  • incoming interface
You can see the existing default rules, in their order of priority:

$ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

These rules point to databases; you may view their contents with these commands:

$ ip route list table local
$ ip route list table main
$ ip route list table default

Here is a simple example of source-based routing. We don't want the Mailroom subnet to have access to the Engineering subnet, so we're going to silently block them:

# ip route add blackhole 192.168.2/24

Or we can send an ICMP "communication administratively prohibited" message instead:

# ip route add prohibit 192.168.2/24

This is handy for blocking unwanted Internet traffic, such as portscans and attempted attacks. Of course the source IPs for these things are a continually moving target, but blocking them at your border routers is quick and easy.

Linux routing is flexible and capable; do yourself a favor and dig into the references in Resources to learn more about it. You just might save a nice bundle of money by using Linux instead of an expensive commercial router.

  • Resources

  • The Linux Advanced Routing & Traffic Control HOWTO
  • See man (8) ip for complete ip command options and definitions of terms shown in the command outputs
  • RFC 1123 - Requirements for Internet Hosts
  • RFC 1812 - Requirements for IP Version 4 Routers
  • IP Command Reference. This is also available locally at /usr/share/doc/iproute
  • "Policy Routing With Linux" by Matthew G. Marsh is an excellent reference
  • "The Protocols (TCP/IP Illustrated, Volume 1)", by W. Richard Stevens, is the all-time best book for understanding TCP/IP

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter

By submitting your information, you agree that enterprisenetworkingplanet.com may send you ENTERPRISENetworkingPLANET offers via email, phone and text message, as well as email offers about other products and services that ENTERPRISENetworkingPLANET believes may be of interest to you. ENTERPRISENetworkingPLANET will process your information in accordance with the Quinstreet Privacy Policy.