Re: [LARTC] Policy Routing Help

[Arthur van Leeuwen <arthurvl@sci.kun.nl>]

On Mon, 1 Apr 2002 russ@essentialmix.ca wrote:

> Hey guys, can anyone comment on this if it is possible?
>
> My setup:
>
>   Linux Box    Cable
>    _____ E0    _____
>    |   |_______|___|____
>    |   |
>    |   |        DSL
>    |   | E1    _____
>    |   |_______|___|____
>    |___|
>
>
> Hopefully everyone can interperet my diagram.  Anyhow, I have an FTP
> server running off the Linux Box.  The DNS resolves to Eth0 which is the
> NIC attached to the Cable modem provider and the default route is set to
> the Cable next-hop.  Eth1 is attached to My Network.  What I would like to
> happen is that all incoming FTP traffic to Eth0 will always return out
> Eth0 through the Cable ISP.  Any other traffic will take the DSL provider
> via a default route to the DSL next-hop
>
> I can think of 2 ways to do this:
>
> 1) Mark FTP traffic and create a rule to set the next-hop to the Cable
> default route
>
> 2) Configure policy routing such that if traffic is destined to Eth0 IP
> address, the next-hop is set to the Cable provider.

The latter is better. :)

> Because there is a default route configured on the linux box to the Cable
> ISP, all return traffic regardless of the interface it was received on
> will always take the Cable ISP.  I would prefer option #2.  Can anyone
> shed some light on the config necessary to do this?  This is pretty quick
> and dirty with policy routing on IOS, but I am struggling a little bit on
> the linux config.  Thanks all!

Very well:

One creates two additional routing tables, say E0 and E1. These are added in
/etc/iproute2/rt_tables. Then you set up routing in these tables as follows:

ip route add $CABLE_GW dev eth0 src $IP_ETH0 table E0
ip route add default via $CABLE_GW table E0
ip route add $DSL_GW dev eth1 src $IP_ETH1 table E1
ip route add default via $DSL_GW table E1

Next you set up the main routing table. It is usually a good idea to route
things to the direct neighbour through the interface connected to that
neighbour. Note the `src' arguments, they make sure the right outgoing IP
address is chosen.

ip route add $CABLE_GW dev eth0 src $IP_ETH0
ip route add $DSL_GW dev eth1 src $IP_ETH0
ip route add $CABLE_NET via $CABLE_GW
ip route add $DSL_NET via $DSL_GW

Then, your preference for default route:

ip route add default via $DSL_GW

Next, you set up the routing rules, making sure that you route out a given
interface is you already have the corresponding source address:

ip rule add from $IP_ETH0 table E0
ip rule add from $IP_ETH1 table E1

This set of commands makes sure all answers to traffic coming in on a
particular interface get answered from that interface. I set something like
this up back in 1999 for my then-current employer to deal with a 'secure'
leased line and a cable-modem, with e-mail coming in over both lines...

Doei, Arthur. (Who just now realises that ftpd's may actually still play
               havoc with this: set your server to passive-only, if you
               can.)

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/