Linux Policy Routing

Welcome Page
Most routing is destination based: the operating system uses the destination of the packet to pick the appropriate route from the routing table.​​ Policy Routing can use many other criteria in its routing table. Policy Routing is supported by Cisco’s IOS versions 11.2 and later and Linux kernel versions 2.2 and later.
Tech Articles
Introduction
Policy Routing can be used on Linux to create a router, but can also be used on a Linux host for additional security or additional functionality. For example, policy routing can provide some redundancy to the firewalls by dropping packets based on their source addresses. Policy Routing can also control which ICMP messages, if any, are sent when packets are dropped.

The primary reason to use Policy Routing is to manage network resources. An enterprise may have a low-latency subnetwork along with less expensive subnets that also provide redundancy for the low latency network. Policy routing can be used to fine-tune access to these networks more precisely than routing rules based only on destination can.

Policy Routing was been implemented in Linux as part of iproute2. While most systems administrators are not familiar with iproute2, it is the current set of networking commands and has, at least in theory, replaced commands like ifconfig, arp, route and netstat.

Note that recent networking innovations like NFV (Network Function Virtualization) piggyback on this technology. For example, Cisco’s NFVIS (Network Functions Virtualization Infrastructure Software) is based on Linux. Click here for introductory document on NFV and NFVIS.

Setting Up Policy Routing
The high-level steps for setting up Policy Routing in Linux are:
  • create custom routing tables
  • create rules to tell the kernel which tables to use
  • turn on forwarding, if necessary


Policy Routing Configuration file
In Linux, Policy Routing’s configuration file is:
/etc/iproute2/rt_tables

The default version of the rt_tables file looks like:

# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep


Tables
To display the settings for a table use:
ip route show table

The best first example is table main, which is table 254. The data in this table will match what you see in netstat -rn and will precisely match what you see in ip route show.

Run one or both of the following commands:
ip route show table main
ip route show table 254


Compare with the output from:
ip route show
netstat -rn


Next, try:
ip route show table local
ip route show table 255

The kernel maintains the local routing table. You cannot add to the local table. However you can remove entries, but you run the risk of breaking something.

The kernel will support another 252 routing tables.

Creating Custom Tables
When an interface is brought up, the network address is calculated using the address and subnet mask and a route is created to that network.

Routes are also created by the ip route command. A custom table is created or modified when the table is specified in the ip route command.

The basic command to add a route is:
ip route add
table
via
proto [ kernel | boot | static | NUMBER ]

A network address in CIDR form: 192.168.2.0/24
Table name: can be something like development, accounting
via address: the address of the next hop router
proto:
static: static route set by administrator
kernel: set by Linux kernel
boot: route set by boot-up process
NUMBER: functionality to allow for additional protocols

ip route add 192.168.2.0/24 table mytable via 10.2.3.1 proto static

Creating Policy Routing Rules
ip [-6] rule add |blackhole|prohibit|throw|unreachable>

Note:-6 is used for IPv6 rules; the following examples use IPv4 addresses.

The rule will take packets that matches the and do one of the following:
blackhole: silently discard; best for denial of service attacks
prohibit: Send ICMP “administratively prohibited”
throw: Send “net unreachable”
unreachable: Send ICMP “host unreachable”
route according to the specified table

Some types of rule add options

Match a source network:
ip rule add from
Example:
ip rule add from 192.0.2.0/24 lookup 100
ip rule add from 192.0.3.0/24 blackhole


Match a destination network
ip rule add to
Examples:
ip rule add to 192.0.2.0/24 lookup 110
ip rule add to 192.0.2.0/24 prohibit


Create a rule to match inbound interface
ip rule add iif
Note: use lo (loopback interface) for local traffic
Examples:
ip rule add iif lo lookup 120
ip rule add iif eth0 lookup 130


Create a rule to match outbound interface
ip rule add oif
Note: for locally generated traffic only
Examples:
ip rule add oif eth0 lookup 140

Forwarding
Forwarding should be turned on only for hosts that will act as routers and forward data between networks. This is not necessary if your goal is to set up routing for packets originating from your host. In fact, forwarding should be left off if it is not needed.

To check if forwarding is on, confirm that the value in this file is 1:
/proc/sys/net/ipv4/ip_forward

If not, edit /etc/sysctl.conf and set the value as:
net.ipv4.ip_forward = 1
then run:
sysctl -p

Some versions of Linux also use /etc/sysconfig/sysctl, which will overset the settings in /etc/sysctl.conf during startup. If /etc/sysconfig/sysctl exists, confirm the following entry:
IP_FORWARD=“YES”


Resources for Further Learning
man 8 ip
Policy Routing Book: http://www.policyrouting.org/PolicyRoutingBook/
Linux Advanced Routing & Traffic Control HOWTO : http://lartc.org/howto/index.html
Source code: https://wiki.linuxfoundation.org/networking/iproute2     



Welcome Page
Tech Articles