* Re: [LARTC] additional routes?
2002-11-28 15:30 [LARTC] additional routes? Tomas Bonnedahl
@ 2002-11-28 22:32 ` Martin A. Brown
2002-11-28 23:35 ` Tomas Bonnedahl
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Martin A. Brown @ 2002-11-28 22:32 UTC (permalink / raw)
To: lartc
(Forwarded to the list because I can't properly operate a MUA--maybe
they'll take away my license to read email someday.)
Tomas,
Perhaps you want a summary of how the kernel makes a routing decision?
See my description of the route selection process:
http://plorf.net/linux-ip/html/routing-selection.htm
I'm not sure you need policy routing though... If network B is reachable
from network A, and the router for network B is directly connected to
network A but is not the default gateway, you'll have something sort of
like this:
network-C via router-B
network-B via router-B
network-A dev ethX
default via default-gw
Is this your configuration? If so, then you need no policy routing.
-Martin
On Thu, 28 Nov 2002, Tomas Bonnedahl wrote:
: hello, a simple question; on a router, if I want network A to be routed
: to network C that goes through network B, using policy routing, do i
: need to specify a route to network B also, or could i just have routes
: to A and C in the routing table?
:
: the reason that im asking is because i dont know how the ip utility
: uses the main table together with antoher table. if i didnt use policy
: routing, just "regular", this would not work, but perhaps if not
: finding a route to network B, it checks the main table?
:
:
: please enlighten me.
:
: regards,
:
: tomas bonnedahl
: _______________________________________________
: LARTC mailing list / LARTC@mailman.ds9a.nl
: http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
:
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [LARTC] additional routes?
2002-11-28 15:30 [LARTC] additional routes? Tomas Bonnedahl
2002-11-28 22:32 ` Martin A. Brown
@ 2002-11-28 23:35 ` Tomas Bonnedahl
2002-11-29 5:48 ` Martin A. Brown
2002-11-29 7:39 ` Tomas Bonnedahl
3 siblings, 0 replies; 5+ messages in thread
From: Tomas Bonnedahl @ 2002-11-28 23:35 UTC (permalink / raw)
To: lartc
thanks for your reply martin, i am yet to read your paper.
the reason for using policy routing is that i manage several networks and i do want some kind of control on who can access
whose network. this i thought is best accomplished with policy routing using ip route and ip rule.
if i want to allow hosts from network A to reach and talk to hosts on network C, but _not_ hosts on network B, is this best
controlled by iptables? since i now probably need to specify the route to network B in that very table, i cannot deny network
A hosts to talk to network B with ip, or can i?
regards,
tomas bonnedahl
On Thu, Nov 28, 2002 at 04:30:47PM -0600, Martin A. Brown wrote:
> Tomas,
>
> Perhaps you want a summary of how the kernel makes a routing decision?
>
> See my description of the route selection process:
>
> http://plorf.net/linux-ip/html/routing-selection.htm
>
> I'm not sure you need policy routing though... If network B is reachable
> from network A, and the router for network B is directly connected to
> network A but is not the default gateway, you'll have something sort of
> like this:
>
> network-C via router-B
> network-B via router-B
> network-A dev ethX
> default via default-gw
>
> Is this your configuration? If so, then you need no policy routing.
>
> -Martin
>
> On Thu, 28 Nov 2002, Tomas Bonnedahl wrote:
>
> : hello, a simple question; on a router, if I want network A to be routed
> : to network C that goes through network B, using policy routing, do i
> : need to specify a route to network B also, or could i just have routes
> : to A and C in the routing table?
> :
> : the reason that im asking is because i dont know how the ip utility
> : uses the main table together with antoher table. if i didnt use policy
> : routing, just "regular", this would not work, but perhaps if not
> : finding a route to network B, it checks the main table?
> :
> :
> : please enlighten me.
> :
> : regards,
> :
> : tomas bonnedahl
> : _______________________________________________
> : LARTC mailing list / LARTC@mailman.ds9a.nl
> : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> :
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] additional routes?
2002-11-28 15:30 [LARTC] additional routes? Tomas Bonnedahl
2002-11-28 22:32 ` Martin A. Brown
2002-11-28 23:35 ` Tomas Bonnedahl
@ 2002-11-29 5:48 ` Martin A. Brown
2002-11-29 7:39 ` Tomas Bonnedahl
3 siblings, 0 replies; 5+ messages in thread
From: Martin A. Brown @ 2002-11-29 5:48 UTC (permalink / raw)
To: lartc
Tomas,
I'm glad to be of help.
: if i want to allow hosts from network A to reach and talk to hosts on
: network C, but _not_ hosts on network B, is this best controlled by
: iptables? since i now probably need to specify the route to network B
: in that very table, i cannot deny network A hosts to talk to network B
: with ip, or can i?
I'd suggest you use iptables and a prohibit route:
http://plorf.net/linux-ip/html/tools-ip-route.htm#EX-TOOLS-IP-ROUTE-ADD-FROM
Here's an example:
# ip route add prohibit x.x.x.x/24 from y.y.y.y/24
I would be inclined to block packets at the packet filter as well.
# iptables -t filter -A FORWARD -d x.x.x.x/24 -s y.y.y.y/24 -j REJECT
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] additional routes?
2002-11-28 15:30 [LARTC] additional routes? Tomas Bonnedahl
` (2 preceding siblings ...)
2002-11-29 5:48 ` Martin A. Brown
@ 2002-11-29 7:39 ` Tomas Bonnedahl
3 siblings, 0 replies; 5+ messages in thread
From: Tomas Bonnedahl @ 2002-11-29 7:39 UTC (permalink / raw)
To: lartc
hello again and thanks for replying.
the prohibit rule is supposed to be in that particular table that im creating for hosts whose src address is network A?
i was also thinking of blackholeing as default. would this work?
ip route add networkB dev eth1 table X
ip route add networkA via networkB-router dev eth1 table X
ip route add 0/0 blackhole table X
<rule for making networkA hosts use table X>
since i dont want to use iptables too much either.
thanks
-tomas
On Thu, Nov 28, 2002 at 11:48:01PM -0600, Martin A. Brown wrote:
>
> Tomas,
>
> I'm glad to be of help.
>
> : if i want to allow hosts from network A to reach and talk to hosts on
> : network C, but _not_ hosts on network B, is this best controlled by
> : iptables? since i now probably need to specify the route to network B
> : in that very table, i cannot deny network A hosts to talk to network B
> : with ip, or can i?
>
> I'd suggest you use iptables and a prohibit route:
>
> http://plorf.net/linux-ip/html/tools-ip-route.htm#EX-TOOLS-IP-ROUTE-ADD-FROM
>
> Here's an example:
>
> # ip route add prohibit x.x.x.x/24 from y.y.y.y/24
>
> I would be inclined to block packets at the packet filter as well.
>
> # iptables -t filter -A FORWARD -d x.x.x.x/24 -s y.y.y.y/24 -j REJECT
>
> Good luck,
>
> -Martin
>
> --
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
>
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 5+ messages in thread