[LARTC] policy routing at its best

[LARTC] policy routing at its best

[Tomas Bonnedahl]

hello list (and martin) ;x

i have now composed my final(?) policy routing design.

the goals i had when beginning with this, for you that have not follow
mine and martins thread, was to 1) only let 192.168.1/24 to see all routes,
2) not route between defined networks, except to and from 192.168.1/24 and 3) not 
defined networks should only be able to reach 192.168.1/24.

this might sound simple. it wasnt for me.

the solution i came up with, after days and days of thinking (and patience) was
this:

two routing tables, one called "ALL" that, suprisingly, held routes to all networks defined
and a default route to internet. the other called "main", just for ease, that held one route to 
192.168.1/24 and had a default prohibit.

the one rule that exists just says "if src = 192.168.1/24 use table ALL". of course there is
an additional rule, the standard one that says "from all lookup main" with a number of 32766.

so, for you that doesnt understand my poor english, literally every network that passes, except
from 192.168.1/24, will use the main table that just holds the route to 192.168.1/24 and the 
prohibit one.


this so simple, something just has to be wrong. feel free to englighten me.


please flame.

best regards,
tomas bonnedahl
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] policy routing at its best

[Martin A. Brown]

Hi there, Tomas,

Welcome back from your trip away!

 : the goals i had when beginning with this, for you that have not follow
 : mine and martins thread, was to
 :
 :  1) only let 192.168.1/24 to see all routes,
 :  2) not route between defined networks, except to and from 192.168.1/24
 :  3) not defined networks should only be able to reach 192.168.1/24
 :
 : this might sound simple. it wasnt for me.

Policy routing is difficult to describe in any language.  And thinking
about it isn't that easy either.....

 : two routing tables, one called "ALL" that, suprisingly, held routes to
 : all networks defined and a default route to internet. the other called
 : "main", just for ease, that held one route to 192.168.1/24 and had a
 : default prohibit.
 :
 : the one rule that exists just says "if src = 192.168.1/24 use table
 : ALL". of course there is an additional rule, the standard one that says
 : "from all lookup main" with a number of 32766.
 :
 : so, for you that doesnt understand my poor english, literally every
 : network that passes, except from 192.168.1/24, will use the main table
 : that just holds the route to 192.168.1/24 and the prohibit one.
 :
 : this so simple, something just has to be wrong. feel free to englighten
 : me.

What an elegant solution, Tomas!  I also could not believe how simple the
solution appeared at first, so I wrote it down (my notes are below), and I
find this a far simpler solution than anything either of us came up with
before.  It's neat to see the RPDB harnessed in this way.

Congratulations on your elegant solution,

-Martin

# -- RPDB addition
#
ip rule add from 192.168.1.0/24 lookup ALL
#
# -- implicit rule below
#
# ip rule add prio 32766 from all lookup main
#
# -- table ALL
#
ip route add table ALL $NETA via $ROUTERA
ip route add table ALL $NETB via $ROUTERB
ip route add table ALL $NETC via $ROUTERC
ip route add table ALL default via $ROUTERINET
#
# -- table main
#
ip route add 192.168.1.0/24 dev eth0
ip route add default prohibit

# -- all packets (to be routed) with source address of ANYWHERE
#    are only allowed to have destinations in 192.168.1.0/24
# -- all packets (to be routed) with source address of 192.168.1.0/24
#    are allowed to connect to any network

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] policy routing at its best

[Tomas Bonnedahl]

i have some additional information regarding this issue with policy routing.

on the router that has policy routing implemented, read further down for 
more information on my gols, three ethernet interfaces exists.

since the routing table 'main' just consists of a route to 192.168.1/24
with a prohihbit 0/0, you cannot from the router reach a network 
that is located on some of the other interfaces than 192.168.1/24 exists
on. this is because the src address in the packet will be the address of
that interface which the packet will exit. according to the rules that exists
in the RPDB, that address will use the routing table 'main' which, in turn,
does not have a route to that network. 

the solution to this would be to:
1. make (two) rules which says "if the src address of a packet is the adress
of an interface, use table 'all'". (also note that im using the /32 address)
2. add, in routing table 'main', routes to these /32 addresses.

the first part here is used so that a packet could be _sent_ away correct, the
second part is used so that a packets can come _back_ correct.

im sure martin have some insight in this, perhaps a simpler solution?

indeed, i did not think of this when implementing policy routing since i was 
only concerned with networks and not the router itself.

i hope this will help someone struggeling with policy routing.


best regards,
tomas bonnedahl

On Thu, Mar 06, 2003 at 04:31:42PM +0100, Tomas Bonnedahl wrote:
> hello list (and martin) ;x
> 
> i have now composed my final(?) policy routing design.
> 
> the goals i had when beginning with this, for you that have not follow
> mine and martins thread, was to 1) only let 192.168.1/24 to see all routes,
> 2) not route between defined networks, except to and from 192.168.1/24 and 3) not 
> defined networks should only be able to reach 192.168.1/24.
> 
> this might sound simple. it wasnt for me.
> 
> the solution i came up with, after days and days of thinking (and patience) was
> this:
> 
> two routing tables, one called "ALL" that, suprisingly, held routes to all networks defined
> and a default route to internet. the other called "main", just for ease, that held one route to 
> 192.168.1/24 and had a default prohibit.
> 
> the one rule that exists just says "if src = 192.168.1/24 use table ALL". of course there is
> an additional rule, the standard one that says "from all lookup main" with a number of 32766.
> 
> so, for you that doesnt understand my poor english, literally every network that passes, except
> from 192.168.1/24, will use the main table that just holds the route to 192.168.1/24 and the 
> prohibit one.
> 
> 
> this so simple, something just has to be wrong. feel free to englighten me.
> 
> 
> please flame.
> 
> best regards,
> tomas bonnedahl
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] policy routing at its best

[Tomas Bonnedahl]

hello again list. i have another solution to this that has some 
advantages over my last post. 

when dealing with packets and their 'coming-back' i choosed to add routes
to these networks in table 'main', instead i can create two more rules (a
total of four rules altogether) that looks like the first two but uses
the to parameter unstead of the from. (they'll just say "packets that is going
to x, use table 'all'").


-tomas bonnedahl

On Tue, Mar 11, 2003 at 05:32:51PM +0100, Tomas Bonnedahl wrote:
> i have some additional information regarding this issue with policy routing.
> 
> on the router that has policy routing implemented, read further down for 
> more information on my gols, three ethernet interfaces exists.
> 
> since the routing table 'main' just consists of a route to 192.168.1/24
> with a prohihbit 0/0, you cannot from the router reach a network 
> that is located on some of the other interfaces than 192.168.1/24 exists
> on. this is because the src address in the packet will be the address of
> that interface which the packet will exit. according to the rules that exists
> in the RPDB, that address will use the routing table 'main' which, in turn,
> does not have a route to that network. 
> 
> the solution to this would be to:
> 1. make (two) rules which says "if the src address of a packet is the adress
> of an interface, use table 'all'". (also note that im using the /32 address)
> 2. add, in routing table 'main', routes to these /32 addresses.
> 
> the first part here is used so that a packet could be _sent_ away correct, the
> second part is used so that a packets can come _back_ correct.
> 
> im sure martin have some insight in this, perhaps a simpler solution?
> 
> indeed, i did not think of this when implementing policy routing since i was 
> only concerned with networks and not the router itself.
> 
> i hope this will help someone struggeling with policy routing.
> 
> 
> best regards,
> tomas bonnedahl
> 
> On Thu, Mar 06, 2003 at 04:31:42PM +0100, Tomas Bonnedahl wrote:
> > hello list (and martin) ;x
> > 
> > i have now composed my final(?) policy routing design.
> > 
> > the goals i had when beginning with this, for you that have not follow
> > mine and martins thread, was to 1) only let 192.168.1/24 to see all routes,
> > 2) not route between defined networks, except to and from 192.168.1/24 and 3) not 
> > defined networks should only be able to reach 192.168.1/24.
> > 
> > this might sound simple. it wasnt for me.
> > 
> > the solution i came up with, after days and days of thinking (and patience) was
> > this:
> > 
> > two routing tables, one called "ALL" that, suprisingly, held routes to all networks defined
> > and a default route to internet. the other called "main", just for ease, that held one route to 
> > 192.168.1/24 and had a default prohibit.
> > 
> > the one rule that exists just says "if src = 192.168.1/24 use table ALL". of course there is
> > an additional rule, the standard one that says "from all lookup main" with a number of 32766.
> > 
> > so, for you that doesnt understand my poor english, literally every network that passes, except
> > from 192.168.1/24, will use the main table that just holds the route to 192.168.1/24 and the 
> > prohibit one.
> > 
> > 
> > this so simple, something just has to be wrong. feel free to englighten me.
> > 
> > 
> > please flame.
> > 
> > best regards,
> > tomas bonnedahl
> > _______________________________________________
> > LARTC mailing list / LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> > 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/