[ale] Iptables based routing

Michael H. Warfield mhw at WittsEnd.com
Tue Oct 7 23:15:53 EDT 2014


On Tue, 2014-10-07 at 20:17 -0400, Chris Fowler wrote:
> 
> 
> 
> 
> 
> ______________________________________________________________________
>         From: "Michael H. Warfield" <mhw at WittsEnd.com>
>         To: "Atlanta Linux Enthusiasts" <ale at ale.org>
>         Sent: Tuesday, October 7, 2014 6:02:12 PM
>         Subject: Re: [ale] Iptables based routing
>         
>         
>         > 192.168.42.100 would go down path A.
>         > 192.168.42.101 would go down path B.
>         
>         
>         If you are talking about the source addresses here, you are
>         probably
>         going to need to resort to IP policy routing and the ip2
>         package and ip
>         command.  That's not iptables.  You'll probably have to set up
>         some
>         policy routing tables and routing rules.  The "ip" command is
>         not the
>         best documented command but it's really at the heart of policy
>         routing.
>         > 
> 
> 
> That is fine.  I can use ip2.   On the OpenVPN server sites I can
> remove the push default gateway option.  I then can use ip2 to route
> 0.0.0.0 from
> 192.68.42.100 down to the remote over tun?

Yeah.  It gets a little more complicated than that but, yeah, that's the
basics.  It's been YEARS since I've done this...

I think I had to set up the route in a different routing table and then
set up the rules for the source routes I wanted and then specified the
tables.  Here are some of the defaults to get you started...

[mhw at canyon ~]$ ip rule ls
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

[mhw at canyon ~]$ ip route ls table main
default via 130.205.38.1 dev enp0s25  proto static  metric 1024 
130.205.38.0/23 dev enp0s25  proto kernel  scope link  src 130.205.38.43 
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1 

[mhw at canyon ~]$ ip route ls table local
broadcast 127.0.0.0 dev lo  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  proto kernel  scope link  src 127.0.0.1 
broadcast 130.205.38.0 dev enp0s25  proto kernel  scope link  src 130.205.38.43 
local 130.205.38.43 dev enp0s25  proto kernel  scope host  src 130.205.38.43 
broadcast 130.205.39.255 dev enp0s25  proto kernel  scope link  src 130.205.38.43 
broadcast 192.168.122.0 dev virbr0  proto kernel  scope link  src 192.168.122.1 
local 192.168.122.1 dev virbr0  proto kernel  scope host  src 192.168.122.1 
broadcast 192.168.122.255 dev virbr0  proto kernel  scope link  src 192.168.122.1 

You create a new table by adding routes to it and then add a rule
referencing it.  I don't know if you could add a policy route to the
"main" table but it looks like you could (maybe).  You could give it a
shot and, if it didn't work, you could create a new table "route2" and
then reference it "from x.x.x.x lookup route2", which is what I always
use to do with my multiple ISDN lines.

I think the "rules" actually perform the source filtering for the
routing tables and select the table/policy to apply.  Rules are
processed in order of ascending priority (that first number).  First
rule (lowest number) that matches wins and terminates.

Same things go with IPsec transforms (only much worse) but here there be
dragons; nasty, ugly dragons.  I spent too many hours beating my head on
my desk over those ip xfrm tables and Openswan years ago.

> Chris
>         
Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://mail.ale.org/pipermail/ale/attachments/20141007/569cac47/attachment.sig>


More information about the Ale mailing list