Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Policy routing made frendly
#1
This is the best way to do policy routing.

In policy script just declare routes by nfmark (only marked packets are directed, and you will have no problem with declaring every possible way out (if you sometimes need to go to the particular address beside the exit route.

Policy script:
Code:
# Policy and advanced routing

policy nfmark 201 {
                   default 10.0.2.100 }

policy nfmark 202 {
                   default 10.0.2.200 }

# P2P
policy nfmark 10 {
                   default 10.0.2.100 }
How to mark packets:
Firewall script:
Code:
iptables -t mangle -A PREROUTING -p all -s 192.168.0.0/16 -j MARK --set-mark 201

iptables -t mangle -A PREROUTING -p all -s 192.168.1.0/24 -j MARK --set-mark 202
iptables -t mangle -A PREROUTING -p all -s 192.168.4.0/24 -j MARK --set-mark 202

iptables -t mangle -A PREROUTING -p all -s 192.168.4.133 -j MARK --set-mark 201
iptables -t mangle -A PREROUTING -p all -s 192.168.4.21 -j MARK --set-mark 201

# Making sure my internal network is still reachable by those policy routed:
iptables -t mangle -A PREROUTING -p all -d x.x.x.72/29 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d x.x.x.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d 192.168.0.0/16 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d 172.16.0.0/12 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d 10.0.2.100 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d 10.0.2.200 -j MARK --set-mark 20
If you are using "-A" (append to the rules) then you first declare larger subnets, then smaller ones and them individual IP's.

If you are using "-I" (insert at the top of the rule chain) they yuo do it other way around because every new insert goes on the top.

Also, DO NOT use POSTROUTING, it does not give desired results.

Last part makes sure that listed IP's/subnets are reachable from previously marked subnets/IP's. Mark 20 is nowhere used so it will bypass policy routing based on "nfmark".

Following example I use to quickly switch between alternative rules when I have bunch of rules that need to go in the same direction:
Code:
# 120 = Through 192.168.120.0/24 link; 110 = Through 192.168.110.0/24 link
httpmark= 120

iptables -t mangle -A PREROUTING -p all -s 192.168.0.0/16 -dport 80 -j MARK --set-mark $httpmark
iptables -t mangle -A PREROUTING -p all -s 192.168.0.0/16 -dport 8000:9000 -j MARK --set-mark $httpmark
All you need to do is to change the number in httpmark variable and do advanced\scripts\activate script changes from menu.

Same goes for entire firewall, nat and cbq script. This way you do not disconnect all your client like you will if you do file\activate changes from the menu (only way to apply changes in the policy routing script.
Ljubomir Ljubojevic - Love is in the Air
Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman...
StarOS and CentOS/RHEL/Linux consultant
Powerful Starv3 manipulation tool - StarV3 Multipractik for Linux
Reply
#2
Policy routing has an issue with VDS for all versions prior to 1.4.4b. If VDS link gets disconnected, policy route will disapear and will not be active untill "activate changes".

1.4.4b and later versions work as expected.
Ljubomir Ljubojevic - Love is in the Air
Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman...
StarOS and CentOS/RHEL/Linux consultant
Powerful Starv3 manipulation tool - StarV3 Multipractik for Linux
Reply
#3
I wonder if you could re-post the firewall script with a # after each line with an explanation of what IP means in your network ie iptables -t mangle -A PREROUTING -p all -d x.x.x.72/29 -j MARK --set-mark 20 #this is one of my public IPs
There's too many stupid people in the world, and they all have kids.
Reply
#4
There is not much to say.

If you use "-d" before the IP, then rule will be hit if destination (to) of the packet is that IP (server or target IP).
If you use "-s" before the IP, then rule will be hit if source (from) of the packet is that IP (client IP where browser or ftp client is or ping originates).

For example, if my PC has IP = 192.168.219.105, and I run a ping, or connect ftp client to my server = 192.168.200.100 following rules will be hit:
Code:
iptables -t mangle -A PREROUTING -p all -s 192.168.219.0/24 -j MARK --set-mark 202
iptables -t mangle -A PREROUTING -p all -s 192.168.219.105 -j MARK --set-mark 202
# and:
iptables -t mangle -A PREROUTING -p all -d 192.168.200.0/24 -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p all -d 192.168.200.100 -j MARK --set-mark 20

One notice:
I used mark 20 for rules I do NOT want to be hit, the ones that must be excluded from re-routing. Number is arbitrary, I just chose to leave it out of policy routing script.

If you have any specific question, I will be happy to answer it.
Ljubomir Ljubojevic - Love is in the Air
Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman...
StarOS and CentOS/RHEL/Linux consultant
Powerful Starv3 manipulation tool - StarV3 Multipractik for Linux
Reply
#5
Thanks. I got it going without too much trial and error.
There's too many stupid people in the world, and they all have kids.
Reply
#6
I have it set very nicely with variables. If my primary upstrem link is broken, I uncomment (remove #) for ~10 variables (below the active ones) and activate scripts, and all traffic is redirected to secondary link (I have the third also, second and third are ADSL and cable links with smaller capacity)
Ljubomir Ljubojevic - Love is in the Air
Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman...
StarOS and CentOS/RHEL/Linux consultant
Powerful Starv3 manipulation tool - StarV3 Multipractik for Linux
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)