Re: [LARTC] full policy routing

From: Tomas Bonnedahl <tomas@yes.nu>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] full policy routing
Date: Tue, 18 Feb 2003 21:01:13 +0000	[thread overview]
Message-ID: <marc-lartc-104560216622920@msgid-missing> (raw)
In-Reply-To: <marc-lartc-104558134019449@msgid-missing>

hello again martin.

the setup i have in mind is not very exciting really. ;(

what i have is an internal router that transports data from ten different defined networks and of course "internet traffic". one of these defined
networks is our lan 192.168.1/24. 

the utopia that im trying to reach is that there is a routing table for each and every one of these defined networks. these routing tables will pretty
much only say "192.168.1/24 is on eth1. drop all other traffic that is not destined for 192.168.1/24".
of course the table for 192.168.1/24 will have routes for all of these networks plus a default route to the internet. i then use rules for directing
"from network x, use table x". the main table will just have one route, to 192.168.1/24 so that "internet traffic" can get through.

this is just for security, that a ipsec defined network cannot reach the voIP network and so on, every network should just be able to reach the lan.

should this work? perhaps that was what you meant when you talked about RPDB?

btw, seems like trouble shooting with policy routing isnt the easiest ;x

thanks,
tomas

On Tue, Feb 18, 2003 at 10:46:52AM -0600, Martin A. Brown wrote:
>  : hello martin, thank you for your quick reply.
> 
> My pleasure.
> 
>  : (the default routing table is empty for me, but is listed in
>  : /etc/iproute2/rt_tables)
> 
> True indeed....I guess I just don't know if it's a special table or just a
> convention.  I have never used it.  Any others on the list use the default
> table (table 253)?
> 
>  : i want to use "as much" rules as i can, meaning that the main table
>  : will only have one route to my network that come from networks not
>  : defined in the rules.
> 
> I'm not quite sure I understand this completely.  Do you wish to prefer
> the RPDB for route selection?  I don't see any technical reason you
> couldn't configure one routing table for each class of outbound route, but
> it seems somewhat counterintuitive.  Then again, perhaps I do not
> understand your desired goal.  Explain more--sounds like an interesting
> approach.
> 
>  : now, about the local table. if the local table is the first one
>  : consulted when the router is to determine a path for a packet, i dont
>  : want that to be filled with rules that is not defined from that
>  : network, but the rules maybe override that? when i looked in my local
>  : table, i just see broadcast address and local connected addresses, as
>  : you also said.
> 
> The local table has only broadcast, local, and nat routes.  There will not
> be routes for remote networks--try it, and you'll get:
> 
> RTNETLINK answers: Invalid argument
> 
>  : any idea? it seems best to go with "ip route flush table main", btw,
>  : you also reminded me to clean the other tables too when re-populating
>  : the tables, i forgot it. thank you. ;)
> 
> I have been bitten by that one before, too!  ;)
> 
> -Martin
> 
> -- 
> Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/