Difference between revisions of "Policy and Advanced Routing"

From StarOS Community Wiki
Jump to navigation Jump to search
Line 62: Line 62:
a) net <network/bits> via <gateway-ip> [mtu XXXX] # static route declaration
a) net <network/bits> via <gateway-ip> [mtu XXXX] # static route declaration
b) default <gateway-ip> [mtu XXXX] # default gateway (equiv. to net 0.0.0.0/0 via <gateway-ip>")
b) default <gateway-ip> [mtu XXXX] # default gateway (equiv. to net 0.0.0.0/0 via <gateway-ip>")
{{reformat}}

Revision as of 06:09, 3 February 2008

Policy routing is not the same as dynamic.

Assume you have 3 Internet feeds. A DS3, a T1 and a 512 kbps ADSL.

You could route web traffic to the DS3, ftp traffic to the T1, and all marked file sharing to the ADSL line.

You can further route certain important customers to use the DS3 and the general run of the mill accounts to use the T1. Anybody that has been a pain gets the ADSL line and competes with the file sharing guys.

This is what you can do with source based routing.


Examples:

First rule is for all traffic, second is for single IP, and third is for entire subnet.

Those are just 3 separate examples, use only one with the same mark for single destination. Only if you want to join multiple subnets or IP's you would use same mark number.


Example 1:

Policy route all trafic to another route: 

  iptables -A PREROUTING -i wpci1 -t mangle -p tcp --dport 80 -j MARK --set-mark 10

In policy route script: 

  policy nfmark 10 { default 10.10.1.1 }


Example 2:

Policy route 192.168.1.2 to ADSL1,: 

  iptables -A PREROUTING -i wpci1 -t mangle -p tcp --dport 80 -s 192.168.1.2 -j MARK --set-mark 10

but policy route subnet 192.168.2.0/24 to ADSL2: 

  iptables -A PREROUTING -i wpci1 -t mangle -p tcp --dport 80 -s 192.168.2.0/24 -j MARK --set-mark 20

In policy route script: 

  policy nfmark 10 { default 10.10.1.1 }
  policy nfmark 20 { default 10.8.6.1 }


Example 3:

Policy routing 1 IP address and 2 subnets for all ports (all traffic) through gateway 10.10.1.1: 

  policy from 192.168.3.23
  policy from 192.168.1.0/24
  policy from 192.168.2.0/24 { default 10.10.1.1 }

Here is excellent site for policy routing with online book.


If I want to route http (mark 10) from subnet 192.168.220.0/24 to my proxy on 192.168.200.200, and it has to be routed thru 192.168.3.100, what do I write?

Available options: a) policy from 192.168.2.0/24 { default 10.10.1.1 } b) policy to 192.168.2.0/24 { default 10.10.1.1 } c) policy nfmark 10 { default 10.10.1.1 } #match based on a netfilter mark (set with firewall 'iptables' pass through) d) policy tos ??? { default 10.10.1.1 } # match based on type-of-service.


Options for inside of {}: a) net <network/bits> via <gateway-ip> [mtu XXXX] # static route declaration b) default <gateway-ip> [mtu XXXX] # default gateway (equiv. to net 0.0.0.0/0 via <gateway-ip>")


This article requires reformatting. You can help the StarOS Community Wiki by cleaning it up with some wiki formatting, and possibly checking the grammar and spelling.
Retrieved from "http://staros.tog.net/index.php?title=Policy_and_Advanced_Routing&oldid=1863"