Difference between revisions of "Policy and Advanced Routing"

From StarOS Community Wiki
Jump to navigation Jump to search
(Aded full firewall and policy routing example)
m
Line 68: Line 68:
If you put most common rules (VOIP, icmp(ping) , etc..., then largest in numbers) first in this template, they will faster leave the routing and latency will be minimized for them.
If you put most common rules (VOIP, icmp(ping) , etc..., then largest in numbers) first in this template, they will faster leave the routing and latency will be minimized for them.


<nowiki>
######### Start of Firewall Script ###########
######### Start of Firewall Script ###########
# Firewall Management Script
# Firewall Management Script
Line 333: Line 334:
deny tcp from 172.16.0.0/12 to any 25 out via $mediaworks
deny tcp from 172.16.0.0/12 to any 25 out via $mediaworks
######### End of Firewall Script ###########
######### End of Firewall Script ###########
</nowiki>


All I have to do to redirect desired traffic is to change masking number for respective variable.
All I have to do to redirect desired traffic is to change masking number for respective variable.
Line 338: Line 340:
Policy without marking demands File ->Activate changes. Marking traffic does not, only to Aply changes to scripts.  
Policy without marking demands File ->Activate changes. Marking traffic does not, only to Aply changes to scripts.  


<nowiki>
#########Start of Policy Script ###########
#########Start of Policy Script ###########
# Policy and advanced routing
# Policy and advanced routing
Line 383: Line 386:


#########End of Policy Script ###########
#########End of Policy Script ###########
</nowiki>


{{reformat}}
{{reformat}}

Revision as of 15:08, 29 April 2011

Policy routing is not the same as dynamic.

Assume you have 3 Internet feeds. A DS3, a T1 and a 512 kbps ADSL.

You could route web traffic to the DS3, ftp traffic to the T1, and all marked file sharing to the ADSL line.

You can further route certain important customers to use the DS3 and the general run of the mill accounts to use the T1. Anybody that has been a pain gets the ADSL line and competes with the file sharing guys.

This is what you can do with source based routing.


Examples:

First rule is for all traffic, second is for single IP, and third is for entire subnet.

Those are just 3 separate examples, use only one with the same mark for single destination. Only if you want to join multiple subnets or IP's you would use same mark number.


Example 1:

Policy route all HTTP trafic (destination port = 80) to another route: 

  iptables -A PREROUTING -i wpci1 -t mangle -p tcp --dport 80 -j MARK --set-mark 10

In policy route script: 

  policy nfmark 10 { default 10.10.1.1 }

Example 2:

Policy route 192.168.1.2 to ADSL1,: 

  iptables -A PREROUTING -i wpci1 -t mangle -s 192.168.1.2 -j MARK --set-mark 10

but policy route subnet 192.168.2.0/24 to ADSL2: 

  iptables -A PREROUTING -i wpci1 -t mangle -s 192.168.2.0/24 -j MARK --set-mark 20

In policy route script: 

  policy nfmark 10 { default 10.10.1.1 }
  policy nfmark 20 { default 10.8.6.1 }

Example 3:

Policy routing 1 IP address and 2 subnets for all ports (all traffic) through gateway 10.10.1.1: 

  policy from 192.168.3.23
  policy from 192.168.1.0/24
  policy from 192.168.2.0/24 { default 10.10.1.1 }

Here is excellent site for policy routing with online book.


If I want to route http (mark 10) from subnet 192.168.220.0/24 to my proxy on 192.168.200.200, and it has to be routed thru 192.168.3.100, what do I write?

Available options:
a) policy from 192.168.220.0/24 { default 10.10.1.1 }
b) policy to 192.168.200.200 { default 10.10.1.1 }
c) policy nfmark 10 { default 10.10.1.1 } #match based on a netfilter mark (set with firewall 'iptables' pass through)
d) policy tos ??? { default 10.10.1.1 } # match based on type-of-service.


Options for inside of {}:
a) net <network/bits> via <gateway-ip> [mtu XXXX] # static route declaration
b) default <gateway-ip> [mtu XXXX] # default gateway (equiv. to net 0.0.0.0/0 via <gateway-ip>")

Full example of a working system:

From DrLove73's forum post:

I decided to treat you all with my optimized policy routing script from my main gateway router. Optimization is that it will mark priority packets first and then jump from main chain so I have minimized number of rules those priority packets have to hit. If you put most common rules (VOIP, icmp(ping) , etc..., then largest in numbers) first in this template, they will faster leave the routing and latency will be minimized for them.

######### Start of Firewall Script ########### # Firewall Management Script link = ether1 javne = ether2 # (public) net = vds1 adsl-router = ether2 # Preusmeravanje HTTP-a: # 80 = ADSL, 200 = The rest, 10 = ADSL direkt., 60 = VDS to Ljutez, 50 = MediaWorks # 70 = Http over Mediaworksa, 61 = VDS to Ruter over PTT-a # 90 = VDS over SBB ####### via Mediaworks: ######### lokalhttpmark = 50 lokalmark = 50 kancelarijahttpmark = 50 kancelarijamark = 50 kucahttpmark = 50 kucamark = 50#80#50 serverhttpmark = 50#80 webradio = 50 specizlaz = 50 serverizlaz = 50#200 dns = 50#80 googledns = 50#80 sendmail = 50 alcom = 50 altastel = 70 alcomserver = 50 vranjejavne = 50 ljutezlink = 50 # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a) alcomvds = 61#60#61#60 altastelvds = 70#60#61#60 mediaworkslink = 50 pttlink = 61#60#61 httpmark = 50 preusmeravanje = 50 ########## ADSL: ########## #lokalhttpmark = 80 #Ovo #lokalmark = 80 #Ovo #kancelarijamark = 80 #kancelarijahttpmark = 80 #Ovo #serverhttpmark = 80 #Ovo #kucahttpmark = 80#50 #kucamark = 80 #webradio = 80 #Ovo #specizlaz = 80 #Ovo #dns = 80 #Ovo #googledns = 80 #sendmail = 50 #httpmark = 80 #Ovo #preusmeravanje = 80 #Ovo #serverizlaz = 50 #200 #Ovo #alcom = 80 #Ovo #altastel = 70#60 #Ovo #alcomserver = 80 #Ovo #vranjejavne = 80 #Ovo #ljutezlink = 80#50 #Ovo # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a) #alcomvds = 61#60 #Ovo #altastelvds = 70#60 #Ovo #pttlink = 61 #vranjepttvds = 61 #mediaworkslink = 50 #Ovo ########## SBB: ########## #lokalhttpmark = 90 #Ovo #lokalmark = 90 #Ovo #kancelarijamark = 90 #kancelarijahttpmark = 90 #Ovo #serverhttpmark = 90 #Ovo #kucahttpmark = 90#50 #kucamark = 90 #webradio = 90 #Ovo #specizlaz = 90 #Ovo #dns = 90 #Ovo #googledns = 90 #sendmail = 50 #httpmark = 90 #Ovo #preusmeravanje = 90 #Ovo #serverizlaz = 50 #200 #Ovo #alcom = 90 #Ovo #alcomserver = 90 #Ovo #vranjejavne = 90 #Ovo #ljutezlink = 90#50 #Ovo # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a) #alcomvds = 61#60 #Ovo #altastelvds = 70#60 #Ovo #pttlink = 61 #vranjepttvds = 61 #mediaworkslink = 50 #Ovo iptables -I PREROUTING -t mangle -m conntrack --ctstate INVALID -j DROP # SNAT za Kancfor Office iptables -t nat -A POSTROUTING -o eth1 -s 192.168.219.105 -d 10.0.1.100 -j MASQUERADE iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.105 -j SNAT --to xxx.yyy.zzz.92 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.204.200 -j SNAT --to xxx.yyy.zzz.93 # JDownloader-s: iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.115 -j SNAT --to xxx.yyy.zzz.89 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.125 -j SNAT --to xxx.yyy.zzz.91 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.135 -j SNAT --to xxx.yyy.zzz.93 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.145 -j SNAT --to xxx.yyy.zzz.94 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.155 -j SNAT --to xxx.yyy.zzz.90 iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 5900:5910 -j DNAT --to-destination 192.168.219.105 iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 22 -j DNAT --to-destination 192.168.219.105 iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 5000 -j DNAT --to-destination 192.168.219.105 iptables -I FORWARD -d 192.168.219.105 -j ACCEPT # SNAT for brother iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.103 -j SNAT --to xxx.yyy.zzz.90 iptables -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/16 -j MASQUARADE --to xxx.yyy.zzz.162 iptables -t nat -A POSTROUTING -o tap0 -s 172.26.0.0/12 -j MASQUARADE --to xxx.yyy.zzz.162 iptables -t nat -A POSTROUTING -o tap0 -s 10.0.0.0/8 -j MASQUARADE --to xxx.yyy.zzz.162 # DNS when local DNS servers do not work #forward udp to xxx.yyy.zzz.93 53 from any to xxx.yyy.zzz.89 53 in via any #forward udp to xxx.yyy.zzz.91 53 from any to xxx.yyy.zzz.93 53 in via any #forward udp to xxx.yyy.zzz.89 53 from any to xxx.yyy.zzz.93 53 in via any #forward udp to xxx.yyy.zzz.94 53 from any to xxx.yyy.zzz.89 53 in via any #forward udp to 8.8.8.8 53 from any to xxx.yyy.zzz.93 53 in via any #forward udp to 8.8.8.8 53 from any to xxx.yyy.zzz.89 53 in via any #forward udp to 8.8.8.8 53 from 192.168.0.0/16 to xxx.yyy.zzz.93 53 in via any #forward udp to 8.8.8.8 53 from 192.168.0.0/16 to xxx.yyy.zzz.89 53 in via any #forward udp to 8.8.8.8 53 from 172.16.0.0/12 to xxx.yyy.zzz.93 53 in via any #forward udp to 8.8.8.8 53 from 172.16.0.0/12 to xxx.yyy.zzz.89 53 in via any # Lokal network - skip marking and leave them alone iptables -t mangle -A PREROUTING -d xxx.yyy.zzz.88/29 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.26.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.28.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.29.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.20.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 172.21.0.0/16 -j MARK --set-mark 20 #iptables -t mangle -A PREROUTING -d 172.24.0.0/16 -j MARK --set-mark 20 # Altastel VDS - Kuca iptables -t mangle -A PREROUTING -d 10.0.1.0/24 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 10.0.0.0/24 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 10.0.2.0/24 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 10.0.3.0/24 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 10.0.4.0/24 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -d 10.194.0.0/16 -j MARK --set-mark 20 iptables -t mangle -A PREROUTING -m mark --mark 20 -j RETURN # Altastel iptables -t mangle -A PREROUTING -d 172.24.0.0/16 -j MARK --set-mark $altastelvds iptables -t mangle -A PREROUTING -m mark --mark $altastelvds -j RETURN # Alcom iptables -t mangle -A PREROUTING -d 172.25.0.0/16 -j MARK --set-mark $alcomvds iptables -t mangle -A PREROUTING -d 172.28.0.0/16 -j MARK --set-mark $alcomvds iptables -t mangle -A PREROUTING -d 172.27.0.0/16 -j MARK --set-mark $alcomvds iptables -t mangle -A PREROUTING -m mark --mark $alcomvds -j RETURN iptables -t mangle -A PREROUTING -d gg.hhh.jjj.128/29 -j MARK --set-mark $alcomserver iptables -t mangle -A PREROUTING -m mark --mark $alcomserver -j RETURN #MediaWorks iptables -t mangle -A PREROUTING -d xxx.yyy.208.0/24 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d aaa.bbb.149.72/29 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d aaa.bbb.132.96/28 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d xxx.yyy.212.0/22 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d xxx.yyy.216.0/23 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d xxx.yyy.218.0/24 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -d xxx.yyy.209.0/24 -j MARK --set-mark $mediaworkslink iptables -t mangle -A PREROUTING -m mark --mark $mediaworkslink -j RETURN # DNS paths for Servers iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 53 -j MARK --set-mark $dns iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --dport 53 -j MARK --set-mark $dns iptables -t mangle -A PREROUTING -m mark --mark $dns -j RETURN # Google DNS iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --d 8.8.8.8 -j MARK --set-mark $googledns iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --d 8.8.8.8 -j MARK --set-mark $googledns iptables -t mangle -A PREROUTING -m mark --mark $googledns -j RETURN # PTT mail iptables -t mangle -A PREROUTING -p tcp -d 212.62.57.0/28 --dport 110 -j MARK --set-mark $pttlink iptables -t mangle -A PREROUTING -p udp -d 212.62.57.0/28 --dport 110 -j MARK --set-mark $pttlink iptables -t mangle -A PREROUTING -m mark --mark $pttlink -j RETURN # Office computers iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -m mark --mark $kancelarijahttpmark -j RETURN # Servers outgoing iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 80 -j MARK --set-mark $serverhttpmark iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 873 -j MARK --set-mark $serverhttpmark iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --dport 873 -j MARK --set-mark $serverhttpmark iptables -t mangle -A PREROUTING -m mark --mark $serverhttpmark -j RETURN # Sending of Mails iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 -dport 25 -j MARK --set-mark $sendmail iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 -dport 25 -j MARK --set-mark $sendmail iptables -t mangle -A PREROUTING -m mark --mark $sendmail -j RETURN ## HTTP iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.0/24 --dport 80 -j MARK --set-mark $kucahttpmark iptables -t mangle -A PREROUTING -m mark --mark $kucahttpmark -j RETURN iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark iptables -t mangle -A PREROUTING -p tcp -s 192.168.202.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark iptables -t mangle -A PREROUTING -p tcp -s 192.168.203.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark iptables -t mangle -A PREROUTING -m mark --mark $lokalhttpmark -j RETURN iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 80 -j MARK --set-mark $kancelarijahttpmark iptables -t mangle -A PREROUTING -m mark --mark $kancelarijahttpmark -j RETURN iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.0/16 --dport 80 -j MARK --set-mark $httpmark iptables -t mangle -A PREROUTING -p tcp -s 172.26.0.0/16 --dport 80 -j MARK --set-mark $httpmark iptables -t mangle -A PREROUTING -m mark --mark $httpmark -j RETURN # Web Radio iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.0/24 --dport 8000:9100 -j MARK --set-mark $webradio iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.103 --dport 8000:9100 -j MARK --set-mark $webradio iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.101 --dport 8000:9100 -j MARK --set-mark $webradio iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 8000:9100 -j MARK --set-mark $webradio iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 8000:9100 -j MARK --set-mark $webradio iptables -t mangle -A PREROUTING -m mark --mark $webradio -j RETURN # Server total exit - unnecessary?? iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.89 -j MARK --set-mark $serverizlaz # Server2 total exit - unnecessary?? iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.93 -j MARK --set-mark $serverizlaz iptables -t mangle -A PREROUTING -m mark --mark $serverizlaz -j RETURN # Office total exit - unnecessary?? iptables -t mangle -A PREROUTING -s 192.168.219.105 -j MARK --set-mark $kancelarijamark iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.92 -j MARK --set-mark $kancelarijamark iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.91 -j MARK --set-mark $kancelarijamark iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.90 -j MARK --set-mark $kancelarijamark iptables -t mangle -A PREROUTING -m mark --mark $kancelarijamark -j RETURN # Office2 - redirection iptables -t mangle -A PREROUTING -s 192.168.200.0/24 -j MARK --set-mark $lokalmark iptables -t mangle -A PREROUTING -s 192.168.202.0/24 -j MARK --set-mark $lokalmark iptables -t mangle -A PREROUTING -m mark --mark $lokalmark -j RETURN iptables -t mangle -A PREROUTING -s 192.168.219.0/24 -j MARK --set-mark $kucamark iptables -t mangle -A PREROUTING -m mark --mark $kucamark -j RETURN # Redirect everything else: iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark $preusmeravanje iptables -A PREROUTING -t mangle -s 172.26.0.0/16 -j MARK --set-mark $preusmeravanje iptables -A PREROUTING -t mangle -s 172.20.0.0/16 -j MARK --set-mark $preusmeravanje iptables -A PREROUTING -t mangle -s 172.21.0.0/16 -j MARK --set-mark $preusmeravanje iptables -A PREROUTING -t mangle -s xxx.yyy.zzz.88/29 -j MARK --set-mark $preusmeravanje # -j RETURN NOT NEDDED - it's last set of rules!!!! ##### DHCP - Just my info page###### forward tcp to xxx.yyy.zzz.89 80 from 192.168.203.0/24 to any 80 out via any allow tcp from 192.168.203.0/24 to xxx.yyy.zzz.89 80 out via any deny all from 192.168.203.0/24 to any out via any # SMTP blocking: deny tcp from 192.168.0.0/16 to any 25 out via $mediaworks deny tcp from 172.16.0.0/12 to any 25 out via $mediaworks ######### End of Firewall Script ###########

All I have to do to redirect desired traffic is to change masking number for respective variable.

Policy without marking demands File ->Activate changes. Marking traffic does not, only to Aply changes to scripts.

#########Start of Policy Script ########### # Policy and advanced routing # ADSL HTTP policy nfmark 80 { default 10.0.1.100 } ## VDS za SBB policy nfmark 90 { default 172.26.100.100 } # Ne preko ADSL-a policy nfmark 200 { default 172.26.21.100 } # VDS do Ljuteza: policy nfmark 60 { default 172.26.0.100 } # VDS do Altastel-a: policy nfmark 70 { default 172.26.21.100 } # VDS do Vranja-PTT: policy nfmark 61 { default 172.28.0.100 } # MediaWorks: policy nfmark 50 { default xxx.yyy.zzz.161 } # MediaWorks: policy nfmark 70 { default xxx.yyy.zzz.161 } # P2P policy nfmark 10 { default xxx.yyy.zzz.91 } # VDS do Vranja: policy to 172.25.0.0/16 { default 172.28.0.100 } #########End of Policy Script ###########

This article requires reformatting. You can help the StarOS Community Wiki by cleaning it up with some wiki formatting, and possibly checking the grammar and spelling.
Retrieved from "http://staros.tog.net/index.php?title=Policy_and_Advanced_Routing&oldid=2051"