source based routing help needed - Networking

This is a discussion on source based routing help needed - Networking ; I've been doing linux for a long time, but never have gotten the hang of source based routing. I need to set this up now so I am seeing if someone can help me out... I've seen lots of examples ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: source based routing help needed

  1. source based routing help needed

    I've been doing linux for a long time, but never have gotten the hang of
    source based routing. I need to set this up now so I am seeing if someone
    can help me out... I've seen lots of examples using ppp0/ppp1 and ip
    addresses... but I just can't get a handle on this for my setup.

    I have
    eth0 ( local network )
    tun1 ( web server traffic that comes in via a tunnel )

    any traffic that comes in via the tun1 interface needs to go
    back out the tun1 interface.

    any traffic that comes in on the eth0 interface needs to go back
    out on the eth0 interface.

    I have this sort of working using standard routing where the 'default'
    route goes over my tunnel so any web traffic that comes in, goes back
    out that way correctly and I have my private network stuff set up to
    route via eth0. The issue I have with this is that if the web server
    does something like a yum update... the default route uses the tunnel
    and I want it to use the eth0 interface.

    How can I get source based routing to work on just the eth0 / tun1
    interfaces?

    Thanks - jack



    --

  2. Re: source based routing help needed

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    >>>>> Jack Snodgrass writes:

    Jack> I've been doing linux for a long time, but never have gotten the hang of
    Jack> source based routing. I need to set this up now so I am seeing ifsomeone
    Jack> can help me out... I've seen lots of examples using ppp0/ppp1 andip
    Jack> addresses... but I just can't get a handle on this for my setup.

    Jack> I have
    Jack> eth0 ( local network )
    Jack> tun1 ( web server traffic that comes in via a tunnel )

    Jack> any traffic that comes in via the tun1 interface needs to go
    Jack> back out the tun1 interface.

    Jack> any traffic that comes in on the eth0 interface needs to go back
    Jack> out on the eth0 interface.

    Jack> I have this sort of working using standard routing where the 'default'
    Jack> route goes over my tunnel so any web traffic that comes in, goes back
    Jack> out that way correctly and I have my private network stuff set upto
    Jack> route via eth0. The issue I have with this is that if the web server
    Jack> does something like a yum update... the default route uses the tunnel
    Jack> and I want it to use the eth0 interface.

    I'm little confused here. if you don't make tunnel 'tun1' default
    route, and make 'eth0' instead what happens. I assume following
    happens, but I'm not sure, so correct me if I'm wrong:

    tun1 - 192.168.1.1/24, eth0 - 10.0.2.1/24 (default route)

    so if webserver listening on 192.168.1.1 receives a packet from
    10.3.4.5 on tun1, when replies back, reply goes out via eth0 (the
    gateway), since 10.3.4.5 belongs to none of the local networks. So
    there is absolutely no relation between routing of packet from
    10.3.4.5 and packet to 10.3.4.5, right ?

    Jack> How can I get source based routing to work on just the eth0 / tun1
    Jack> interfaces?

    You need to setup some routing rules.

    $tun1_gateway - tun1 gateway IPv4 address
    $eth0_gateway - eth0 gateway IPv4 address
    $tun1_ip - tun1 IPv4 address
    $eth0_ip - eth0 IPv4 address

    ----8<----8<----
    root@host # ip route add default via $tun1_gateway table 100
    root@host # ip route add default via $eth0_gateway table 101
    root@host # ip rule add from $tun1_ip table 100
    root@host # ip rule add from $eth0_ip table 101
    ---->8---->8----

    Above commands will create 2 source based rules, which basically
    inteneds to route outgoing packet via the interface corresponding to
    the packet's source address.

    ----8<----8<----
    root@host # ip route add default via $eth0_gateway
    ---->8---->8----

    And above command will choose eth0 as default route.

    For more information, check out LARTC[1].

    References:
    [1] - http://www.lartc.org/

    HTH
    - --
    Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/
    ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQFHxwJOHy+EEHYuXnQRAtU4AKDhJ4tKsodayD+vhe92sW D45H4IoACgoI/o
    1263r5dvDsQkfu2pjjZTggw=
    =tcde
    -----END PGP SIGNATURE-----

  3. Re: source based routing help needed

    Hello,

    Ashish Shukla wrote :
    >
    > I'm little confused here. if you don't make tunnel 'tun1' default
    > route, and make 'eth0' instead what happens. I assume following
    > happens, but I'm not sure, so correct me if I'm wrong:
    >
    > tun1 - 192.168.1.1/24, eth0 - 10.0.2.1/24 (default route)
    >
    > so if webserver listening on 192.168.1.1 receives a packet from
    > 10.3.4.5 on tun1, when replies back, reply goes out via eth0 (the
    > gateway), since 10.3.4.5 belongs to none of the local networks. So
    > there is absolutely no relation between routing of packet from
    > 10.3.4.5 and packet to 10.3.4.5, right ?


    I guess that there is some NAT involved, so routing has to be symmetrical.

    > Jack> How can I get source based routing to work on just the eth0 / tun1
    > Jack> interfaces?
    >
    > You need to setup some routing rules.
    >
    > $tun1_gateway - tun1 gateway IPv4 address
    > $eth0_gateway - eth0 gateway IPv4 address
    > $tun1_ip - tun1 IPv4 address
    > $eth0_ip - eth0 IPv4 address
    >
    > ----8<----8<----
    > root@host # ip route add default via $tun1_gateway table 100
    > root@host # ip route add default via $eth0_gateway table 101
    > root@host # ip rule add from $tun1_ip table 100
    > root@host # ip rule add from $eth0_ip table 101
    > ---->8---->8----
    >
    > Above commands will create 2 source based rules, which basically
    > inteneds to route outgoing packet via the interface corresponding to
    > the packet's source address.


    To do things properly you need to add routes overriding the source-based
    default routes in each table when the destination is in a directly
    attached network :

    $eth0_subnet - IP subnet on eth0
    $tun1_subnet - IP subnet or peer address on tun1

    ip route add $eth0_subnet dev eth0 table 100
    ip route add $tun1_subnet dev tun1 table 101

  4. Re: source based routing help needed

    On Thu, 28 Feb 2008 02:24:21 +0000, Jack Snodgrass wrote:

    > I've been doing linux for a long time, but never have gotten the hang of
    > source based routing. I need to set this up now so I am seeing if
    > someone can help me out... I've seen lots of examples using ppp0/ppp1
    > and ip addresses... but I just can't get a handle on this for my setup.
    >
    > I have
    > eth0 ( local network )
    > tun1 ( web server traffic that comes in via a tunnel )
    >
    > any traffic that comes in via the tun1 interface needs to go back out
    > the tun1 interface.
    >
    > any traffic that comes in on the eth0 interface needs to go back out on
    > the eth0 interface.
    >
    > I have this sort of working using standard routing where the 'default'
    > route goes over my tunnel so any web traffic that comes in, goes back
    > out that way correctly and I have my private network stuff set up to
    > route via eth0. The issue I have with this is that if the web server
    > does something like a yum update... the default route uses the tunnel
    > and I want it to use the eth0 interface.
    >
    > How can I get source based routing to work on just the eth0 / tun1
    > interfaces?
    >
    > Thanks - jack


    Thanks... I kind of sort of came up with something that works... I added
    a 100 tunnel entry to my /etc/iproute2/rt_tables file and then I use:

    iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 80 -j MARK --
    set-mark 0x2
    iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 25 -j MARK --
    set-mark 0x2
    ip rule add fwmark 0x2 table tunnel
    ip route add default via 10.10.3.1 table tunnel


    and that seems to do the trick. I really only want to do this for web and
    mail so specifying the individual ports is fine.... anything that
    comes in for those ports from my tunnel get marked and routed back out
    the tunnel. everything else ( local network ) just goes over the default
    route which happens to be the local network.

    --

  5. Re: source based routing help needed

    Jack Snodgrass a crit :
    >
    > Thanks... I kind of sort of came up with something that works... I added
    > a 100 tunnel entry to my /etc/iproute2/rt_tables file and then I use:
    >
    > iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 80 -j MARK --
    > set-mark 0x2
    > iptables -t mangle -A OUTPUT -p tcp --src 10.10.3.2 --sport 25 -j MARK --
    > set-mark 0x2
    > ip rule add fwmark 0x2 table tunnel
    > ip route add default via 10.10.3.1 table tunnel
    >
    > and that seems to do the trick. I really only want to do this for web and
    > mail so specifying the individual ports is fine.... anything that
    > comes in for those ports from my tunnel get marked and routed back out
    > the tunnel.


    This is not what the above rules do. They just mark locally generated
    outgoing packets matching specific source address and port. They do not
    take on which interface the original packets came from into account.
    This would require the use of the iptables 'CONNMARK' target, e.g. :

    # mark incoming connections received on tun1
    iptables -t mangle -A PREROUTING -i tun1 -m state --state NEW,RELATED \
    -j CONNMARK --set-mark 0x2
    # copy the connection mark to outgoing packets
    iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark

+ Reply to Thread