Tunnels, Routes and Rules: They're Easier with iproute2 - Page 2

 By Carla Schroder
Page 2 of 2   |  Back to Page 1
Print Article

Continued From Page 1

Policy Rules
This is where iproute2 really shines. Using policy rules lets you route packets in a number of useful ways. (Adding iptables to the brew lets you slice and dice your traffic to the point of obsession, which is a fun topic for another day.)

iproute2 lets you match packets on the following fields:

  • packet source address
  • packet destination address
  • TOS (type of service)
  • incoming interface
You can see the existing default rules, in their order of priority:

$ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

These rules point to databases; you may view their contents with these commands:

$ ip route list table local
$ ip route list table main
$ ip route list table default

Here is a simple example of source-based routing. We don't want the Mailroom subnet to have access to the Engineering subnet, so we're going to silently block them:

# ip route add blackhole 192.168.2/24

Or we can send an ICMP "communication administratively prohibited" message instead:

# ip route add prohibit 192.168.2/24

This is handy for blocking unwanted Internet traffic, such as portscans and attempted attacks. Of course the source IPs for these things are a continually moving target, but blocking them at your border routers is quick and easy.

Linux routing is flexible and capable; do yourself a favor and dig into the references in Resources to learn more about it. You just might save a nice bundle of money by using Linux instead of an expensive commercial router.

  • Resources

  • The Linux Advanced Routing & Traffic Control HOWTO
  • See man (8) ip for complete ip command options and definitions of terms shown in the command outputs
  • RFC 1123 - Requirements for Internet Hosts
  • RFC 1812 - Requirements for IP Version 4 Routers
  • IP Command Reference. This is also available locally at /usr/share/doc/iproute
  • "Policy Routing With Linux" by Matthew G. Marsh is an excellent reference
  • "The Protocols (TCP/IP Illustrated, Volume 1)", by W. Richard Stevens, is the all-time best book for understanding TCP/IP
This article was originally published on Jun 15, 2005
Get the Latest Scoop with Networking Update Newsletter