pages tagged routingwiebel.orghttp://wiebel.org//tag/routing/wiebel.orgikiwiki2013-06-26T14:13:27Zpolicy routinghttp://wiebel.org//linux/network/policy_routing/2013-06-26T14:13:27Z2012-05-15T15:44:23Z
<h1 id="ahrefhttps:en.wikipedia.orgwikipolicy2dbased5froutingpolicy-basedroutingausingmultipleroutingtables"><a href="https://en.wikipedia.org/wiki/Policy%2Dbased%5Frouting">Policy-based routing</a> using multiple routing tables</h1>
<p>Making a System accessible over two IPs (Interfaces) is a bit of a challenge. Say you have connected the Machine via </p>
<ul>
<li>eth0 192.168.0.10/24 GW: 192.168.0.1 (old)</li>
<li>eth1 192.168.1.10/24 GW: 192.168.1.1 (new)</li>
</ul>
<p>Normally all traffic to remote IPs would be routed to the default gateway. Further say your default gateway is 192.168.0.1, so it's reachable via eth0. IP packages coming in via the IP address of eth1 would be answered via the default gateway through eth0 and therefore be invalid. The Solution to this problem is called <a href="https://en.wikipedia.org/wiki/Policy%2Dbased%5Frouting">Policy-based routing</a> (by cisco) the implementation for Linux is based on multiple routing tables. Those routing tables are registered in <em>/etc/iproute2/rt_tables</em>:</p>
<pre><code>#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
200 oldnet
201 newnet
</code></pre>
<p>In this case the oldnet and newnet tables are custom, here we want to migrate the Server from one Network (oldnet) to the other (newnet) and the Policy-based routing allows us to do this seamless on the server side.
To use your defined tables you can simply use the <em>ip</em> command:</p>
<pre><code>ip route add 192.168.0.0/24 dev eth0 table oldnet
ip route add default via 192.168.0.1 table oldnet
</code></pre>
<p>To actually use your new routing table you have to issue an <em>ip rule</em> command, which makes the kernel use the table according to the matched rule:</p>
<pre><code>ip rule add from 192.168.0.0/24 table oldnet
</code></pre>
<p>Now to actually make a difference we also have to define the routing for the newnet so:</p>
<pre><code>ip route add 192.168.1.0/24 dev eth1 table newnet
ip route add default via 192.168.1.1 table newnet
ip rule add from 192.168.1.0/24 table newnet
</code></pre>
<p>Now we have our server use the table oldnet whenever he sends out a package from the 192.168.0.0/24 subnet and use the table oldnet for packages from 192.168.1.0/24. It's important to understand the direction of the packages, it's NOT about packages comming in, they will reach the host anyhow it's all about the (answering) packages that need to go the same way back as they came from, so the <em>from</em> statement is the one to use here.</p>
<p>Now the commands <em>ip rule list</em> will show you the rules actually used and the <em>ip route show table oldnet</em> resp. <em>ip route show table newnet</em> will show you the actual tables. Btw. a <em>ip route show table all</em> will give you quite an intimate look at the routing behind the scenes, just in case you didn't know.</p>
<p>To make things happen at boot time there are different ways things are handle, to name the major ones:</p>
<h2 id="debian">Debian</h2>
<p>Quite obviously you need to touch the almighty <em>/etc/network/interfaces</em> like this:</p>
<pre><code>iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
gateway 192.168.0.1
post-up ip route add 192.168.0.0/24 dev eth0 table oldnet
post-up ip route add default via 192.168.0.1 table oldnet
post-up ip rule add from 192.168.0.0/24 table oldnet
post-down ip rule del from 192.168.0.0/24 table oldnet
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1
post-up ip route add 192.168.1.0/24 dev eth1 table newnet
post-up ip route add default via 192.168.1.1 table newnet
post-up ip rule add from 192.168.1.0/24 table newnet
post-down ip rule del from 192.168.1.0/24 table newnet
</code></pre>
<h2 id="redhatishscientificcentosfedoraandthelike">Redhat"ish" (Scientific, Centos, Fedora and the like)</h2>
<p>You need to edit (or create) the files <em>/etc/sysconfig/network-scripts/route-eth{0,1}</em> to contain the following:</p>
<ul>
<li><p>/etc/sysconfig/network-scripts/route-eth0</p>
<pre><code>192.168.0.0/24 dev eth0 table oldnet
default via 192.168.0.1 dev eth0 table oldnet
</code></pre></li>
<li><p>/etc/sysconfig/network-scripts/route-eth1</p>
<pre><code>192.168.1.0/24 dev eth1 table newnet
default via 192.168.1.1 dev eth0 table newnet
</code></pre>
<p>The rules are configured in <em>/etc/sysconfig/network-scripts/rule-eth{0,1}</em>:</p></li>
<li><p>/etc/sysconfig/network-scripts/rule-eth0</p>
<pre><code>from 192.168.0.0/24 lookup oldnet
</code></pre></li>
<li><p>/etc/sysconfig/network-scripts/rule-eth0</p>
<pre><code>from 192.168.1.0/24 lookup newnet
</code></pre></li>
</ul>
<h2 id="opensuse11.1">openSUSE 11.1</h2>
<p>Sadly I was not able to find a "simple" way to configure it for openSUSE 11.1. As its only a transitional Situation I live with the routing not beeing reboot-safe. *fingers crossed*</p>
<div class="social" id="linux/network/policy_routing" title="http://wiebel.org//linux/network/policy_routing/"></div>
bridge as gatewayhttp://wiebel.org//linux/network/bridge_as_gateway/2012-05-15T16:11:09Z2012-05-15T15:41:49Z
<h1 id="usingabridgeasagateway">Using a Bridge as a Gateway</h1>
<p>If you want to use bridge as a gateway for other hosts you don't need to use the usual iptables nat, but you have to disable the iptableusage of the bridge altogether:</p>
<pre><code>net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
</code></pre>
<div class="social" id="linux/network/bridge_as_gateway" title="http://wiebel.org//linux/network/bridge_as_gateway/"></div>