A Quick Introduction to Linux Policy Routing

A Quick Introduction to Linux Policy Routing

2013

In this post, I-m going to introduce-to-policy routing as implemented in recent versions of Ubuntu Linux (and possibly Other Linux distributions as well, but I'll be using Ubuntu 12.04 LTS). Policy routing actually allows us a great deal of flexibility in what we direct traffic out of a Linux host; I ' ll discuss a rather practical application of this configuration in a future blog post. For now, though, let's just focus on how to configure Policy Routing.

There is a couple parts involved in Policy routing:

• Policy Routing tables: Linux comes with three by default:local (which cannot is modified or deleted), main, and default. Somewhat unintuitively, routes added to the system without a routing table specified go to the main table, not the default Table.

• Policy Routing Rules: Again, Linux comes with three rules, one for each of the default routing tables.

In order for us to leverage policy routing for our purposes, we need to do three things:

1. We need to create a custom Policy Routing table.

2. We need to create one or more custom Policy Routing rules.

3. We need to populate the custom Policy routing table with routes.

Let's look at each of these steps separately.

Creating a Custom Policy Routing Table

The first step is to create a custom Policy Routing table. Each table was represented by an entry /etc/iproute2/rt_tables in the file, so creating a new table is generally accomplished using a command Like this:

echo 200 custom >> /etc/iproute2/rt_tables

This creates, the table with the ID, and the name "Custom". You'll reference this name later as your create the rules and populate the table with routes, so make note of it. Because This entry rt_tables was contained in the file, it'll be persistent across reboots.

Creating Policy Routing Rules

The next step is to create the policy routing rules that would tell the system which table to the determine the correct Route. In this particular case, I ' m going to use the source address (i.e., the originating address for the traffic) as the Determ Ining factor in the rule. This is a common application of the policy routing, and for that reason it's often referred to as source routing.

To create the Policy Routing rule, use this command:

ip rule add from <source address> lookup <table name>

Let's say that we wanted to create a rule this told the system to use the "custom" table we created earlier for all Traffi C originating from the source address 192.168.30.200. The command would look like this:

ip rule add from 192.168.30.200 lookup custom

You can see all of the Policy routing rules that is currently in effect using this command:

ip rule list

As I mentioned in the beginning of this article, there is default rules that govern the use of the local, main, and Defau Lt Tables (these is the built-in tables). Once you ' ve added your rule and you should see it listed there as well.

There is a problem here, Though:rules created this "is ephemeral and would disappear when the system is restarted (or When the networking is restarted). To do the rules persist, add a line like this to /etc/network/interfaces :

post-up ip rule add from 192.168.30.200 lookup custom

You ' d want-to-place this line in the configuration stanza that configures the interface with the address 192.168.30.200. The rule should persist across reboots or across network restarts.

Populating the Routing Table

Once we have the custom Policy routing table created and a rule defined this directs the system to use it, we need to popu Late the table with the correct routes. The generic command to does this ip route add are the command, but with a specific table parameter added.

Using Our previous example, let's say we wanted to add a default route that is specific to traffic originating from 192.1 68.30.200. We ve already created a custom Policy routing table, and we have a rule this directs the system to use that tab Le for traffic originating from that address. To add a new default route specifically for the interface, you ' d use the This command:

ip route add default via 192.168.30.1 dev eth1 table custom

Naturally, you ' d want to substitute the correct default gateway for 192.168.30.1 and the correct interface for eth1 in the Above command, but this should give. Of course, you do not have the use of the default routes; You could install specific routes to the custom Policy Routing table as well. This also works on VLANs Sub-interfaces, so you could create Per-vlan routing tables:

ip route add default via 192.168.30.1 dev eth0.30 table vlan30

This command installs a default route for the 192.168.30.x interface in VLAN, using a table named "Vlan30" (Note that T He table needs to created before can add routes to it, as far as I can tell).

As with the policy routing tables, routes added this is not persistent, so you'll want to make them persistent by add ing a line like this to your /etc/network/interfaces configuration file:

post-up ip route add default via 192.168.30.1 dev eth1 table custom

This would ensure that the appropriate routes is added to the appropriate Policy routing table when the corresponding NETW Ork interface is brought up.

Summary

There ' s a great deal more functionality possible in Policy routing, but this at least gives you the basics to need Erstand how it works. In a future post, I'll provide a specific use case where this functionality could is put to work. In the meantime, feel-share any corrections, clarifications, questions, or thoughts in the comments below.

TAGS:CLI Linux Networking Ubuntu Previous post:vlan trunking to Guest Domains with Open vSwitchNext post:a use case for Policy Routing With KVM and Open VSwitch

Be social and share this post!

A Quick Introduction to Linux Policy Routing