Linux Policy Routing

Up ../

Linux Policy Routing

An example to make clear, to me at least. what this involves.

Three networks 10.0.0.0/24, 10.0.7.0/24 and 192.168.99.0/24
The External Router (G) routes between the various 10.0. networks but 
doesn't know about the 192.168.99.0/24 network.
The Local Router (L) which has interfaces on the three networks, routes
between the 10.0.0 and 10.0.7 networks and the 192.168.99.0/24 network.

Host A is multihomed. Host B is on 10.0.0.0/24 only while Host C
is on 192.168.99.0/24 and Host D is on 10.0.7.0/24 only.


                            ?
                            |
                  [ External Router (G) ]
                       |         |
                  10.0.0.254  10.0.7.254
[Host B]               |         |           [Host D]
    |                  |         |               |
10.0.0.23              |         |           10.0.7.59
    |                  |         |               |
  --+----------------+-+-       -+-+-------------+--
    |                |             |
    |                |             |
10.0.0.1          10.0.0.190  10.0.7.190
    |                   |          |
[Host A]            [ Local Router (L) ]
    |                       |
192.168.99.1         192.168.99.254
    |                       |
  --+-----------------------+--------------------+--
                                                 |
                                          192.168.99.5
                                                 |
                                             [Host C]

Routes

Destination    Gateway         Genmask         Flags   MSS Window  irtt Iface
--Local Router(L)
192.168.99.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.0.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0        10.0.0.254      0.0.0.0         UG        0 0          0 eth0

--Host B
10.0.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.99.0   10.0.0.190      255.255.255.0   UG        0 0          0 eth0
0.0.0.0        10.0.0.254      0.0.0.0         UG        0 0          0 eth0

--Host C
192.168.99.0   0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0        192.168.99.254  0.0.0.0         UG        0 0          0 eth0

--Host A
192.168.99.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.0.0.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0        10.0.0.254      0.0.0.0         UG        0 0          0 eth0

--Host D
10.0.7.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.99.0   10.0.7.190      255.255.255.0   UG        0 0          0 eth0
0.0.0.0        10.0.7.254      0.0.0.0         UG        0 0          0 eth0

Consider
1. Host C(192.168.99.5) connects to A(10.0.0.1)
   The packet is routed via L(192.168.99.254) then to A,
   the reply is sent directly to C(192.168.99.5) vi eth1

2. Host B(10.0.0.23) connects to A(192.168.99.1)
   The packet is routed via L(10.0.0.190) then to A,
   the reply is sent directly to B vi eth0

So far we have asymetric routing only which will work subject to
host firewall rules.

3. Host D(10.0.7.59) connects to A(192.168.99.1)
   The packet is routed via the L(10.0.7.190) then to A,
   the reply is sent via the external router(G) to D(10.0.7.59)

This usually won't work as G doesn't know about the 192.168.99. network
and will normally drop such packets (anti spoof rules.)

To fix (3) linux has routing rules that can select the next hop based on
the source address.
On Host A
ip rule add from 192.168.99.1 table 200
ip route add table 200 to 10.0.0.0/8 via 192.168.99.254 dev eth1

To fix(1,2)
On Host A
ip rule add from 10.0.0.1 table 210
ip route add table 210 to 192.168.99.0/24 via 10.0.0.190 dev eth0

Actually add the rule names to /etc/iproute2/rt_tables
eg
200	Intern_Extern
210	Extern_Intern

RHEL7/CENTOS7 
!! Install: NetworkManager-dispatcher-routing-rules

The syntax may changed from earlier versions

In /etc/sysconfig/network-scripts/
	rule-eth0 route-eth0
	rule-eth1 route-eth1

    # rule-eth0
	from 10.0.0.1 table Extern_Intern 
    # route-eth0
	192.168.99.0/24 table Extern_Intern via 10.0.0.190 dev eth0

    # rule-eth1
	from 192.168.99.1 table Intern_Extern
    # route-eth1
	10.0.0.0/8 table Intern_Extern via 192.168.99.254 dev eth1

policy_routing.txt

LICENSE
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode

AUTHOR
James Sainsbury