[LARTC] Policy Routing Help

[LARTC] Policy Routing Help

[russ]

Hey guys, can anyone comment on this if it is possible?

My setup:

  Linux Box    Cable
   _____ E0    _____
   |   |_______|___|____
   |   |
   |   |        DSL 
   |   | E1    _____
   |   |_______|___|____
   |___|


Hopefully everyone can interperet my diagram.  Anyhow, I have an FTP 
server running off the Linux Box.  The DNS resolves to Eth0 which is the 
NIC attached to the Cable modem provider and the default route is set to 
the Cable next-hop.  Eth1 is attached to My Network.  What I would like to 
happen is that all incoming FTP traffic to Eth0 will always return out 
Eth0 through the Cable ISP.  Any other traffic will take the DSL provider 
via a default route to the DSL next-hop
  
I can think of 2 ways to do this:

1) Mark FTP traffic and create a rule to set the next-hop to the Cable 
default route

2) Configure policy routing such that if traffic is destined to Eth0 IP 
address, the next-hop is set to the Cable provider.  

Because there is a default route configured on the linux box to the Cable
ISP, all return traffic regardless of the interface it was received on
will always take the Cable ISP.  I would prefer option #2.  Can anyone
shed some light on the config necessary to do this?  This is pretty quick
and dirty with policy routing on IOS, but I am struggling a little bit on
the linux config.  Thanks all!


-- 
-Russ
essentialmix.ca


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Policy Routing Help

[Arthur van Leeuwen]

On Mon, 1 Apr 2002 russ@essentialmix.ca wrote:

> Hey guys, can anyone comment on this if it is possible?
>
> My setup:
>
>   Linux Box    Cable
>    _____ E0    _____
>    |   |_______|___|____
>    |   |
>    |   |        DSL
>    |   | E1    _____
>    |   |_______|___|____
>    |___|
>
>
> Hopefully everyone can interperet my diagram.  Anyhow, I have an FTP
> server running off the Linux Box.  The DNS resolves to Eth0 which is the
> NIC attached to the Cable modem provider and the default route is set to
> the Cable next-hop.  Eth1 is attached to My Network.  What I would like to
> happen is that all incoming FTP traffic to Eth0 will always return out
> Eth0 through the Cable ISP.  Any other traffic will take the DSL provider
> via a default route to the DSL next-hop
>
> I can think of 2 ways to do this:
>
> 1) Mark FTP traffic and create a rule to set the next-hop to the Cable
> default route
>
> 2) Configure policy routing such that if traffic is destined to Eth0 IP
> address, the next-hop is set to the Cable provider.

The latter is better. :)

> Because there is a default route configured on the linux box to the Cable
> ISP, all return traffic regardless of the interface it was received on
> will always take the Cable ISP.  I would prefer option #2.  Can anyone
> shed some light on the config necessary to do this?  This is pretty quick
> and dirty with policy routing on IOS, but I am struggling a little bit on
> the linux config.  Thanks all!

Very well:

One creates two additional routing tables, say E0 and E1. These are added in
/etc/iproute2/rt_tables. Then you set up routing in these tables as follows:

ip route add $CABLE_GW dev eth0 src $IP_ETH0 table E0
ip route add default via $CABLE_GW table E0
ip route add $DSL_GW dev eth1 src $IP_ETH1 table E1
ip route add default via $DSL_GW table E1

Next you set up the main routing table. It is usually a good idea to route
things to the direct neighbour through the interface connected to that
neighbour. Note the `src' arguments, they make sure the right outgoing IP
address is chosen.

ip route add $CABLE_GW dev eth0 src $IP_ETH0
ip route add $DSL_GW dev eth1 src $IP_ETH0
ip route add $CABLE_NET via $CABLE_GW
ip route add $DSL_NET via $DSL_GW

Then, your preference for default route:

ip route add default via $DSL_GW

Next, you set up the routing rules, making sure that you route out a given
interface is you already have the corresponding source address:

ip rule add from $IP_ETH0 table E0
ip rule add from $IP_ETH1 table E1

This set of commands makes sure all answers to traffic coming in on a
particular interface get answered from that interface. I set something like
this up back in 1999 for my then-current employer to deal with a 'secure'
leased line and a cable-modem, with e-mail coming in over both lines...

Doei, Arthur. (Who just now realises that ftpd's may actually still play
               havoc with this: set your server to passive-only, if you
               can.)

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Policy Routing Help

[Patrick McHardy]

On Mon, 1 Apr 2002 russ@essentialmix.ca wrote:

> Hopefully everyone can interperet my diagram.  Anyhow, I have an FTP 
> server running off the Linux Box.  The DNS resolves to Eth0 which is the 
> NIC attached to the Cable modem provider and the default route is set to 
> the Cable next-hop.  Eth1 is attached to My Network.  What I would like to 
> happen is that all incoming FTP traffic to Eth0 will always return out 
> Eth0 through the Cable ISP.  Any other traffic will take the DSL provider 
> via a default route to the DSL next-hop

add a new table named cable.out
ip rule add from <eth0-ip> lookup cable.out
ip route add default via x.x.x.x dev eth0 table cable.out
ip route add default via y.y.y.y dev eth1

bye patrick

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/