Tunnels, Routes and Rules: They're Easier with iproute2 - Page 2

By  Carla Schroder | Jun 14, 2005
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Continued From Page 1

Policy Rules
This is where iproute2 really shines. Using policy rules lets you route packets in a number of useful ways. (Adding iptables to the brew lets you slice and dice your traffic to the point of obsession, which is a fun topic for another day.)

iproute2 lets you match packets on the following fields:

  • packet source address
  • packet destination address
  • TOS (type of service)
  • incoming interface
You can see the existing default rules, in their order of priority:

$ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

These rules point to databases; you may view their contents with these commands:

$ ip route list table local
$ ip route list table main
$ ip route list table default

Here is a simple example of source-based routing. We don't want the Mailroom subnet to have access to the Engineering subnet, so we're going to silently block them:

# ip route add blackhole 192.168.2/24

Or we can send an ICMP "communication administratively prohibited" message instead:

# ip route add prohibit 192.168.2/24

This is handy for blocking unwanted Internet traffic, such as portscans and attempted attacks. Of course the source IPs for these things are a continually moving target, but blocking them at your border routers is quick and easy.

Linux routing is flexible and capable; do yourself a favor and dig into the references in Resources to learn more about it. You just might save a nice bundle of money by using Linux instead of an expensive commercial router.

  • Resources

  • The Linux Advanced Routing & Traffic Control HOWTO
  • See man (8) ip for complete ip command options and definitions of terms shown in the command outputs
  • RFC 1123 - Requirements for Internet Hosts
  • RFC 1812 - Requirements for IP Version 4 Routers
  • IP Command Reference. This is also available locally at /usr/share/doc/iproute
  • "Policy Routing With Linux" by Matthew G. Marsh is an excellent reference
  • "The Protocols (TCP/IP Illustrated, Volume 1)", by W. Richard Stevens, is the all-time best book for understanding TCP/IP
cschroder@internet.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter
Helpful Links

  • Yankee Group Mobile WAN Optimization Report

    Mobile work continues to evolve. Your organization must keep up with the demands of its mobile workforce. This report introduces the concept of mobile WAN optimization and provides three case studies including RCM, PRTM and Einstein that highlight how this emerging technology can help IT departments achieve what previously appeared to be conflicting goals. Read >

  • Network Security Resources

    More threats than ever before pose a danger to today's enterprise network. Get the latest tips and intel on the newest risks in our guide to network security resources. Read >

  • Extreme Savings: Cutting Costs with WAN Optimization

    Did you know it's possible to cut IT costs without impacting day-to-day IT operations? In fact, when you download this whitepaper from Riverbed on cost-savings through WAN optimization, you'll discover how businesses of all different sizes have realized a return on investment in just a few months through significant hard cost savings in areas such as bandwidth reduction and IT consolidation. It's called Extreme Savings and its only from Riverbed. Read >