Policy and Advanced Routing

From StarOS Community Wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Policy routing is not the same as dynamic.

Assume you have 3 Internet feeds. A DS3, a T1 and a 512 kbps ADSL.

You could route web traffic to the DS3, ftp traffic to the T1, and all marked file sharing to the ADSL line.

You can further route certain important customers to use the DS3 and the general run of the mill accounts to use the T1. Anybody that has been a pain gets the ADSL line and competes with the file sharing guys.

This is what you can do with source based routing.


Examples:

First rule is for all traffic, second is for single IP, and third is for entire subnet.

Those are just 3 separate examples, use only one with the same mark for single destination. Only if you want to join multiple subnets or IP's you would use same mark number.


Example 1:

Policy route all HTTP trafic (destination port = 80) to another route:

   iptables -A PREROUTING -i wpci1 -t mangle -p tcp --dport 80 -j MARK --set-mark 10

In policy route script:

   policy nfmark 10 { default 10.10.1.1 }

Example 2:

Policy route 192.168.1.2 to ADSL1,:

   iptables -A PREROUTING -i wpci1 -t mangle -s 192.168.1.2 -j MARK --set-mark 10

but policy route subnet 192.168.2.0/24 to ADSL2:

   iptables -A PREROUTING -i wpci1 -t mangle -s 192.168.2.0/24 -j MARK --set-mark 20

In policy route script:

   policy nfmark 10 { default 10.10.1.1 }
   policy nfmark 20 { default 10.8.6.1 }

Example 3:

Policy routing 1 IP address and 2 subnets for all ports (all traffic) through gateway 10.10.1.1:

   policy from 192.168.3.23
   policy from 192.168.1.0/24
   policy from 192.168.2.0/24 { default 10.10.1.1 }

Here is excellent site for policy routing with online book.


If I want to route http (mark 10) from subnet 192.168.220.0/24 to my proxy on 192.168.200.200, and it has to be routed thru 192.168.3.100, what do I write?

Available options:
a) policy from 192.168.220.0/24 { default 10.10.1.1 }
b) policy to 192.168.200.200 { default 10.10.1.1 }
c) policy nfmark 10 { default 10.10.1.1 } #match based on a netfilter mark (set with firewall 'iptables' pass through)
d) policy tos ??? { default 10.10.1.1 } # match based on type-of-service.


Options for inside of {}:
a) net <network/bits> via <gateway-ip> [mtu XXXX] # static route declaration
b) default <gateway-ip> [mtu XXXX] # default gateway (equiv. to net 0.0.0.0/0 via <gateway-ip>")

Full example of a working system:

From DrLove73's forum post:

I decided to treat you all with my optimized policy routing script from my main gateway router. Optimization is that it will mark priority packets first and then jump from main chain so I have minimized number of rules those priority packets have to hit. If you put most common rules (VOIP, icmp(ping) , etc..., then largest in numbers) first in this template, they will faster leave the routing and latency will be minimized for them.

# Firewall Management Script

link        = ether1
javne       = ether2 # (public)
net         = vds1
adsl-router = ether2


# Preusmeravanje HTTP-a:
# 80 = ADSL, 200 = The rest, 10 = ADSL direkt., 60 = VDS to Ljutez, 50 = MediaWorks
# 70 = Http over Mediaworksa, 61 = VDS to Ruter over PTT-a
# 90 = VDS over SBB

####### via Mediaworks: #########
lokalhttpmark       = 50
lokalmark           = 50
kancelarijahttpmark = 50 
kancelarijamark     = 50 
kucahttpmark        = 50
kucamark            = 50#80#50
serverhttpmark      = 50#80
webradio            = 50
specizlaz           = 50
serverizlaz         = 50#200
dns                 = 50#80
googledns           = 50#80
sendmail            = 50
alcom               = 50
altastel            = 70
alcomserver         = 50
vranjejavne         = 50
ljutezlink          = 50  # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a)
alcomvds            = 61#60#61#60
altastelvds         = 70#60#61#60
mediaworkslink      = 50
pttlink             = 61#60#61
httpmark            = 50
preusmeravanje      = 50

########## ADSL: ##########
#lokalhttpmark       = 80        #Ovo
#lokalmark           = 80        #Ovo
#kancelarijamark     = 80 
#kancelarijahttpmark = 80        #Ovo
#serverhttpmark      = 80        #Ovo
#kucahttpmark        = 80#50
#kucamark            = 80
#webradio            = 80        #Ovo
#specizlaz           = 80        #Ovo
#dns                 = 80        #Ovo
#googledns           = 80
#sendmail            = 50
#httpmark            = 80        #Ovo
#preusmeravanje      = 80        #Ovo
#serverizlaz         = 50   #200 #Ovo
#alcom               = 80        #Ovo
#altastel            = 70#60     #Ovo
#alcomserver         = 80        #Ovo
#vranjejavne         = 80        #Ovo
#ljutezlink          = 80#50     #Ovo # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a)
#alcomvds            = 61#60     #Ovo
#altastelvds         = 70#60     #Ovo
#pttlink             = 61
#vranjepttvds        = 61
#mediaworkslink      = 50     #Ovo

########## SBB: ##########
#lokalhttpmark       = 90        #Ovo
#lokalmark           = 90        #Ovo
#kancelarijamark     = 90 
#kancelarijahttpmark = 90        #Ovo
#serverhttpmark      = 90        #Ovo
#kucahttpmark        = 90#50
#kucamark            = 90
#webradio            = 90        #Ovo
#specizlaz           = 90        #Ovo
#dns                 = 90        #Ovo
#googledns           = 90
#sendmail            = 50
#httpmark            = 90        #Ovo
#preusmeravanje      = 90        #Ovo
#serverizlaz         = 50   #200 #Ovo
#alcom               = 90        #Ovo
#alcomserver         = 90        #Ovo
#vranjejavne         = 90        #Ovo
#ljutezlink          = 90#50     #Ovo # Putanja do JAVNE adrese Ljuteza (preko Mediaworks-a)
#alcomvds            = 61#60     #Ovo
#altastelvds         = 70#60     #Ovo
#pttlink             = 61
#vranjepttvds        = 61
#mediaworkslink      = 50     #Ovo


iptables -I PREROUTING -t mangle -m conntrack --ctstate INVALID -j DROP

# SNAT za Kancfor Office
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.219.105 -d 10.0.1.100 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.105 -j SNAT --to xxx.yyy.zzz.92
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.204.200 -j SNAT --to xxx.yyy.zzz.93

# JDownloader-s:
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.115 -j SNAT --to xxx.yyy.zzz.89
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.125 -j SNAT --to xxx.yyy.zzz.91
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.135 -j SNAT --to xxx.yyy.zzz.93
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.145 -j SNAT --to xxx.yyy.zzz.94
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.155 -j SNAT --to xxx.yyy.zzz.90

iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 5900:5910 -j DNAT --to-destination 192.168.219.105 
iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 22 -j DNAT --to-destination 192.168.219.105 
iptables -t nat -I PREROUTING 1 -d xxx.yyy.zzz.92 -p tcp --dport 5000 -j DNAT --to-destination 192.168.219.105 
iptables -I FORWARD -d 192.168.219.105 -j ACCEPT

# SNAT for brother
iptables -t nat -A POSTROUTING -o tap0 -s 192.168.219.103 -j SNAT --to xxx.yyy.zzz.90

iptables -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/16 -j MASQUARADE --to xxx.yyy.zzz.162
iptables -t nat -A POSTROUTING -o tap0 -s 172.26.0.0/12 -j MASQUARADE --to xxx.yyy.zzz.162
iptables -t nat -A POSTROUTING -o tap0 -s 10.0.0.0/8 -j MASQUARADE --to xxx.yyy.zzz.162

# DNS when local DNS servers do not work
#forward udp to xxx.yyy.zzz.93 53 from any to xxx.yyy.zzz.89 53 in via any
#forward udp to xxx.yyy.zzz.91 53 from any to xxx.yyy.zzz.93 53 in via any

#forward udp to xxx.yyy.zzz.89 53 from any to xxx.yyy.zzz.93 53 in via any
#forward udp to xxx.yyy.zzz.94 53 from any to xxx.yyy.zzz.89 53 in via any

#forward udp to 8.8.8.8 53 from any to xxx.yyy.zzz.93 53 in via any
#forward udp to 8.8.8.8 53 from any to xxx.yyy.zzz.89 53 in via any
#forward udp to 8.8.8.8 53 from 192.168.0.0/16 to xxx.yyy.zzz.93 53 in via any
#forward udp to 8.8.8.8 53 from 192.168.0.0/16 to xxx.yyy.zzz.89 53 in via any
#forward udp to 8.8.8.8 53 from 172.16.0.0/12 to xxx.yyy.zzz.93 53 in via any
#forward udp to 8.8.8.8 53 from 172.16.0.0/12 to xxx.yyy.zzz.89 53 in via any

# Lokal network - skip marking and leave them alone
iptables -t mangle -A PREROUTING -d xxx.yyy.zzz.88/29 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 172.26.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 172.28.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 172.29.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 172.20.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 172.21.0.0/16 -j MARK --set-mark 20
#iptables -t mangle -A PREROUTING -d 172.24.0.0/16 -j MARK --set-mark 20 # Altastel VDS - Kuca
iptables -t mangle -A PREROUTING -d 10.0.1.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 10.0.0.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 10.0.2.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 10.0.3.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 10.0.4.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -d 10.194.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -m mark --mark 20 -j RETURN

# Altastel
iptables -t mangle -A PREROUTING -d 172.24.0.0/16 -j MARK --set-mark $altastelvds
iptables -t mangle -A PREROUTING -m mark --mark $altastelvds -j RETURN
# Alcom
iptables -t mangle -A PREROUTING -d 172.25.0.0/16 -j MARK --set-mark $alcomvds
iptables -t mangle -A PREROUTING -d 172.28.0.0/16 -j MARK --set-mark $alcomvds
iptables -t mangle -A PREROUTING -d 172.27.0.0/16 -j MARK --set-mark $alcomvds
iptables -t mangle -A PREROUTING -m mark --mark $alcomvds -j RETURN
iptables -t mangle -A PREROUTING -d gg.hhh.jjj.128/29 -j MARK --set-mark $alcomserver
iptables -t mangle -A PREROUTING -m mark --mark $alcomserver -j RETURN

#MediaWorks
iptables -t mangle -A PREROUTING -d xxx.yyy.208.0/24 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d aaa.bbb.149.72/29 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d aaa.bbb.132.96/28 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d xxx.yyy.212.0/22 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d xxx.yyy.216.0/23 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d xxx.yyy.218.0/24 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -d xxx.yyy.209.0/24 -j MARK --set-mark $mediaworkslink
iptables -t mangle -A PREROUTING -m mark --mark $mediaworkslink -j RETURN

# DNS paths for Servers
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 53 -j MARK --set-mark $dns
iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --dport 53 -j MARK --set-mark $dns
iptables -t mangle -A PREROUTING -m mark --mark $dns -j RETURN

# Google DNS
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --d 8.8.8.8 -j MARK --set-mark $googledns
iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --d 8.8.8.8 -j MARK --set-mark $googledns
iptables -t mangle -A PREROUTING -m mark --mark $googledns -j RETURN

# PTT mail
iptables -t mangle -A PREROUTING -p tcp -d 212.62.57.0/28 --dport 110 -j MARK --set-mark $pttlink
iptables -t mangle -A PREROUTING -p udp -d 212.62.57.0/28 --dport 110 -j MARK --set-mark $pttlink
iptables -t mangle -A PREROUTING -m mark --mark $pttlink -j RETURN

# Office computers
iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -m mark --mark $kancelarijahttpmark -j RETURN
# Servers outgoing
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 80 -j MARK --set-mark $serverhttpmark
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 --dport 873 -j MARK --set-mark $serverhttpmark
iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 --dport 873 -j MARK --set-mark $serverhttpmark
iptables -t mangle -A PREROUTING -m mark --mark $serverhttpmark -j RETURN

# Sending of Mails
iptables -t mangle -A PREROUTING -p udp -s xxx.yyy.zzz.88/29 -dport 25 -j MARK --set-mark $sendmail
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.88/29 -dport 25 -j MARK --set-mark $sendmail
iptables -t mangle -A PREROUTING -m mark --mark $sendmail -j RETURN

## HTTP
iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.0/24 --dport 80 -j MARK --set-mark $kucahttpmark
iptables -t mangle -A PREROUTING -m mark --mark $kucahttpmark -j RETURN
iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark
iptables -t mangle -A PREROUTING -p tcp -s 192.168.202.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark
iptables -t mangle -A PREROUTING -p tcp -s 192.168.203.0/24 --dport 80 -j MARK --set-mark $lokalhttpmark
iptables -t mangle -A PREROUTING -m mark --mark $lokalhttpmark -j RETURN
iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s 192.168.219.105 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 80 -j MARK --set-mark $kancelarijahttpmark
iptables -t mangle -A PREROUTING -m mark --mark $kancelarijahttpmark -j RETURN
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.0/16 --dport 80 -j MARK --set-mark $httpmark
iptables -t mangle -A PREROUTING -p tcp -s 172.26.0.0/16 --dport 80 -j MARK --set-mark $httpmark
iptables -t mangle -A PREROUTING -m mark --mark $httpmark -j RETURN 

# Web Radio
iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.0/24  --dport 8000:9100 -j MARK --set-mark $webradio
iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.103 --dport 8000:9100 -j MARK --set-mark $webradio
iptables -t mangle -A PREROUTING -p tcp -s 192.168.200.101 --dport 8000:9100 -j MARK --set-mark $webradio
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.91 --dport 8000:9100 -j MARK --set-mark $webradio
iptables -t mangle -A PREROUTING -p tcp -s xxx.yyy.zzz.92 --dport 8000:9100 -j MARK --set-mark $webradio
iptables -t mangle -A PREROUTING -m mark --mark $webradio -j RETURN

# Server total exit - unnecessary??
iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.89 -j MARK --set-mark $serverizlaz
# Server2 total exit - unnecessary??
iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.93 -j MARK --set-mark $serverizlaz
iptables -t mangle -A PREROUTING -m mark --mark $serverizlaz -j RETURN

# Office total exit - unnecessary??
iptables -t mangle -A PREROUTING -s 192.168.219.105 -j MARK --set-mark $kancelarijamark
iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.92 -j MARK --set-mark $kancelarijamark
iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.91 -j MARK --set-mark $kancelarijamark
iptables -t mangle -A PREROUTING -s xxx.yyy.zzz.90 -j MARK --set-mark $kancelarijamark
iptables -t mangle -A PREROUTING -m mark --mark $kancelarijamark -j RETURN

# Office2 - redirection
iptables -t mangle -A PREROUTING -s 192.168.200.0/24 -j MARK --set-mark $lokalmark
iptables -t mangle -A PREROUTING -s 192.168.202.0/24 -j MARK --set-mark $lokalmark
iptables -t mangle -A PREROUTING -m mark --mark $lokalmark -j RETURN
iptables -t mangle -A PREROUTING -s 192.168.219.0/24 -j MARK --set-mark $kucamark
iptables -t mangle -A PREROUTING -m mark --mark $kucamark -j RETURN

# Redirect everything else:
iptables -A PREROUTING -t mangle -s 192.168.0.0/16 -j MARK --set-mark $preusmeravanje
iptables -A PREROUTING -t mangle -s 172.26.0.0/16 -j MARK --set-mark $preusmeravanje
iptables -A PREROUTING -t mangle -s 172.20.0.0/16 -j MARK --set-mark $preusmeravanje
iptables -A PREROUTING -t mangle -s 172.21.0.0/16 -j MARK --set-mark $preusmeravanje
iptables -A PREROUTING -t mangle -s xxx.yyy.zzz.88/29 -j MARK --set-mark $preusmeravanje
# -j RETURN NOT NEDDED - it's last set of rules!!!!

##### DHCP - Just my info page######
forward tcp to xxx.yyy.zzz.89 80 from 192.168.203.0/24 to any 80 out via any
allow tcp from 192.168.203.0/24 to xxx.yyy.zzz.89 80 out via any
deny all from 192.168.203.0/24 to any out via any

# SMTP blocking:
deny tcp from 192.168.0.0/16 to any 25 out via $mediaworks
deny tcp from 172.16.0.0/12 to any 25 out via $mediaworks

All I have to do to redirect desired traffic is to change masking number for respective variable.

Policy without marking demands File ->Activate changes. Marking traffic does not, only to Aply changes to scripts.

# Policy and advanced routing


# ADSL HTTP
policy nfmark 80 {
                   default 10.0.1.100 }

## VDS za SBB
policy nfmark 90 {
                   default 172.26.100.100 }

# Ne preko ADSL-a
policy nfmark 200 {
                  default 172.26.21.100 }

# VDS do Ljuteza:
policy nfmark 60 {
                         default 172.26.0.100 }

# VDS do Altastel-a:
policy nfmark 70 {
                         default 172.26.21.100 }

# VDS do Vranja-PTT:
policy nfmark 61 {
                         default 172.28.0.100 }

# MediaWorks:
policy nfmark 50 {
                         default xxx.yyy.zzz.161 }

# MediaWorks:
policy nfmark 70 {
                         default xxx.yyy.zzz.161 }

# P2P
policy nfmark 10 {
                   default xxx.yyy.zzz.91 }

# VDS do Vranja:
policy to 172.25.0.0/16 {
                         default 172.28.0.100 }