Linux Policy Routing

Welcome Page
Most routing is destination based: the operating system uses the destination of the packet to pick the appropriate route from the routing table.​​ Policy Routing can use many other criteria in its routing table. Policy Routing is supported by Cisco’s IOS versions 11.2 and later and Linux kernel versions 2.2 and later.
Tech Articles
Policy Routing can be used on Linux to create a router, but can also be used on a Linux host for additional security or additional functionality. For example, policy routing can provide some redundancy to the firewalls by dropping packets based on their source addresses. Policy Routing can also control which ICMP messages, if any, are sent when packets are dropped.

The primary reason to use Policy Routing is to manage network resources. An enterprise may have a low-latency subnetwork along with less expensive subnets that also provide redundancy for the low latency network. Policy routing can be used to fine-tune access to these networks more precisely than routing rules based only on destination can.

Policy Routing was been implemented in Linux as part of iproute2. While most systems administrators are not familiar with iproute2, it is the current set of networking commands and has, at least in theory, replaced commands like ifconfig, arp, route and netstat.

Note that recent networking innovations like NFV (Network Function Virtualization) piggyback on this technology. For example, Cisco’s NFVIS (Network Functions Virtualization Infrastructure Software) is based on Linux. Click here for introductory document on NFV and NFVIS.

Setting Up Policy Routing
The high-level steps for setting up Policy Routing in Linux are:
  • create custom routing tables
  • create rules to tell the kernel which tables to use
  • turn on forwarding, if necessary

Policy Routing Configuration file
In Linux, Policy Routing’s configuration file is:

The default version of the rt_tables file looks like:

# reserved values
255 local
254 main
253 default
0 unspec
# local
#1 inr.ruhep

To display the settings for a table use:
ip route show table

The best first example is table main, which is table 254. The data in this table will match what you see in netstat -rn and will precisely match what you see in ip route show.

Run one or both of the following commands:
ip route show table main
ip route show table 254

Compare with the output from:
ip route show
netstat -rn

Next, try:
ip route show table local
ip route show table 255

The kernel maintains the local routing table. You cannot add to the local table. However you can remove entries, but you run the risk of breaking something.

The kernel will support another 252 routing tables.

Creating Custom Tables
When an interface is brought up, the network address is calculated using the address and subnet mask and a route is created to that network.

Routes are also created by the ip route command. A custom table is created or modified when the table is specified in the ip route command.

The basic command to add a route is:
ip route add
proto [ kernel | boot | static | NUMBER ]

A network address in CIDR form:
Table name: can be something like development, accounting
via address: the address of the next hop router
static: static route set by administrator
kernel: set by Linux kernel
boot: route set by boot-up process
NUMBER: functionality to allow for additional protocols

ip route add table mytable via proto static

Creating Policy Routing Rules
ip [-6] rule add |blackhole|prohibit|throw|unreachable>

Note:-6 is used for IPv6 rules; the following examples use IPv4 addresses.

The rule will take packets that matches the and do one of the following:
blackhole: silently discard; best for denial of service attacks
prohibit: Send ICMP “administratively prohibited”
throw: Send “net unreachable”
unreachable: Send ICMP “host unreachable”
route according to the specified table

Some types of rule add options

Match a source network:
ip rule add from
ip rule add from lookup 100
ip rule add from blackhole

Match a destination network
ip rule add to
ip rule add to lookup 110
ip rule add to prohibit

Create a rule to match inbound interface
ip rule add iif
Note: use lo (loopback interface) for local traffic
ip rule add iif lo lookup 120
ip rule add iif eth0 lookup 130

Create a rule to match outbound interface
ip rule add oif
Note: for locally generated traffic only
ip rule add oif eth0 lookup 140

Forwarding should be turned on only for hosts that will act as routers and forward data between networks. This is not necessary if your goal is to set up routing for packets originating from your host. In fact, forwarding should be left off if it is not needed.

To check if forwarding is on, confirm that the value in this file is 1:

If not, edit /etc/sysctl.conf and set the value as:
net.ipv4.ip_forward = 1
then run:
sysctl -p

Some versions of Linux also use /etc/sysconfig/sysctl, which will overset the settings in /etc/sysctl.conf during startup. If /etc/sysconfig/sysctl exists, confirm the following entry:

Resources for Further Learning
man 8 ip
Policy Routing Book:
Linux Advanced Routing & Traffic Control HOWTO :
Source code:     

Welcome Page
Tech Articles