IP Rule Command

Source: Internet
Author: User
Tags flush locale iptables

Linux advanced routing, a policy-based route that is more powerful and flexible than traditional routing, can not only forward paths based on destination addresses but also select routing forwarding paths based on message size, application, or IP source address so that system administrators can easily:
1, control the bandwidth of a computer.
2, control the bandwidth to a computer
3. To help you share your bandwidth fairly
4, protect your network from Dos attacks
5, protect your Internet from your customers attack
6, the multiple server virtual into one, and load balance or improve usability
7, limit your users access to certain computers
8. Restrict access to your computer
9, based on user account, MAC address, source IP address, port, QOS "TOS", time or content, etc. to route
First, the basic IP ROUTE2 of Advanced routing
Basic commands:
IP Link list shows IP links state information
IP address show except for all network addresses
IP route Show main routing table information
IP neigh Show Neighbor table
Linux System Routing Table
Linux can be customized from 1-252 routing tables,
The Linux system maintains 4 routing tables:
0# Table System Reservation table
253# Tables Defulte table The default routes that are not specifically specified are placed in the change table
254# Tables Main Table does not indicate that all routes of the routing table are placed in the table
255# tables Locale table save local interface address, broadcast address, NAT address by system maintenance, user must not change
There are two ways to view the routing table:
IP Route List Table Table_number
IP Route List Table table_name
The correspondence between the routing table ordinal and the table name in/etc/iproute2/rt_tables, you can edit it manually
The routing table is added and immediately takes effect, as the following example
IP route add defaults via 192.168.1.1 Table 1 adds a default route to the list of 192.168.1.1
IP route add 192.168.0.0/24 via 192.168.1.2 table 1 adds a route to the 192.168.0.0 segment in a table for 192.168.1.2
Note: The routing table should indicate the default route, as far as possible not back Challo by the table. Routing is complete and can be applied in routing rules.
Second, one of the most advanced route routing rules IP rule
When routing, a match is made according to routing rules, and the priority (PREF) is matched from low to high until an appropriate rule is found. Therefore, it is necessary to configure the default route in the application.
IP rule shows routing rules
Add a Routing rule
IP rule add from 192.168.1.10/32 table 1 pref 100
If the pref value is not specified, it is inserted before the minimum ordinal of an existing rule
Note: If the routing rule is to be completed immediately, the #ip route flush cache should be executed. Refreshing route buffering
The parameters can be resolved as follows: &n
From--Source address
To--Destination address (this is used when selecting a rule, also used when locating a routing table)
TOS--TOS for IP headers (type of sevice) domain Linux Advanced routing-
Dev--Physical interface
Fwmark--iptables label
Actions taken in addition to specifying the routing table, you can specify the following actions:
Table indicates which tables are used
Nat Transparent Gateway

Prohibit discards the package and sends the COMM. Adm. ICMP information for prohiited
Reject simply discard the package
Unreachable discards the package and sends the ICMP information for NET unreachable
The specific format is as follows: more powerful, more flexible to use, it enables network administrators to not only
USAGE:IP Rule [List | add | del] SELECTOR ACTION
SELECTOR: = [from PREFIX] [to PREFIX] [tos tos] [dev STRING] [pref number]
ACTION: = [table table_id] [NAT address] [prohibit | reject | unreachable]
[Flowid CLASSID]
table_id: = [local | main | default | new | Number]

1. Policy Routing
Policy-based routing is more powerful and flexible than traditional routing, enabling network administrators to select forwarding paths based on the destination address and the message size, application, or IP source address ...
#/etc/iproute2/rt_tables This file contains the Linux System Routing table default table has 255 254 2,533 tables
The 255 local routing table contains the local interface address, broadcast address, and NAT address.
The local table is automatically maintained by the system. Admin cannot manipulate this table ...
254 Main main routing table traditional routing table, IP route if not specified table also operation table 254. General Save all routes.
Note: usually use IP ro sh To view is also the route that this table sets.
253 Default routing table typically holds default routes ...
Note: The table in the Rt_tables file distinguishes table 0 by numbers to support up to 255 sheets
There are two ways to view the routing table:
#ip route List Table Table_number #ip route List Table table_name routing table is added, you can add routing examples to the Policy Routing table: #ip route add 19 2.168.1.0/24 Dev eth0 via 192.168.1.66 Realm 4 Note: Packets sent to the subnet 192.168.1.0/24 are used by the classification 4 forwarding, followed by the use of TC, after the introduction of the article explained ... #ip Route ad D default via 192.168.1.1 table int1 #ip route add 192.168.1.0/24 via 192.168.1.1 table Int2 #ip route add 172 16.0.2/16 via 172.16.0.1 table Int3 Note: Each routing table should indicate the default route and try not to return Challo by the table. The route is added, and can be applied in routing rules.
#ip rule SH Display routing rules
0:from All lookup Local
32766:from All lookup Main
32767:from All Lookup Default
When routing, it is based on routing rules that match, by priority (pref value) from high to low until the appropriate rule is found. Therefore, it is necessary to configure the default route in the application.
Policy Routing generally manually add a routing table, the addition of routing table only need to edit the Rt_tables file, specify the table number, table name can ...
IP Rule Rules Add example:
#ip rule add from 192.168.1.112/32 [TOS 0x10] Table test2 pref 999 prohibit
#ip rule Add to 192.168.1.2 pref 1000 table test1
#ip rule add from 192.168.1.0/24 pref 1001 table Test1
#ip rule add [from 0/0] table test1 pref 1003
#ip rule Add fwmark 1 pref 1002 Table Test2 This sentence pattern with iptables-t mangle application. If you label the packet first: #iptables-t mangle-a Prerouti Ng-p tcp-m multiport--dports 80,8080,20,21-s 192.168.1.0/24-j MARK--set-mark 1
Note: If the routing rule is to be completed immediately, the #ip route flush cache should be executed. Refreshing route buffering
The parameters can be resolved as follows:
From--Source address
To--Destination address (this is used when selecting a rule, also used when locating a routing table)
TOS--tos (type of sevice) domain of the IP header
Dev--Physical interface
Fwmark--Firewall parameters
Actions taken in addition to specifying the routing table, you can specify the following actions:
Table indicates which tables are used
The Nat transparent gateway prohibit discards the packet and sends COMM. Adm. ICMP information for prohiited
Reject simply discard the package
Unreachable discards the package and sends the ICMP information for NET unreachable
The specific format is as follows:
USAGE:IP Rule [List | add | del] SELECTOR ACTION
SELECTOR: = [from PREFIX] [to PREFIX] [tos tos] [dev STRING] [pref number]
ACTION: = [table table_id] [NAT address] [prohibit | reject | unreachable]
[Flowid CLASSID]
        table_id: = [local | main | default | new | Number]     2. Network adapter Bundle (Gateway linux+ multiple NIC)     #modprobe bonding mod=1 miimon=200 primary=eth1 Create BOND0, mode is 1, main network card eth1.     #ip addr Add dev bond$ 10.0.0.1/24 set bond0 IP     #ifenslave bond0 eth1 eth2 add bound dev &n bsp;     Note: mode=0 rotation balance (default mode), this mode of Mac frequent switching caused a large switch load.          mode=1 main Standby mode with primary to specify the network card           mode=4 commonly used 802.3AD mode, dynamic link acquisition mode. This mode requires a switch bundle.          Miimon=ms the number of milliseconds to query whether the link is valid.       other parameters such as:          arp_interval=ms           arp_ip_target=*.*.*.*       Another network adapter bundle curing mode:        #vi/etc/modules.conf Add the following line     alias Bond0 bonding     & nbsp   system loading Bonding module at startup, external virtual network interface equipment for BOND0.       #cd/etc/sysconfig/network-scripts       #vi ifcfg-bond0         device=bond0 
ipaddr=11.0.0.1
netmask=255.0.0.0
network=192.168.1.0
broadcast=192.168.1.255
Onboot=yes
Bootproto=none
Userctl=no #vi Ifcfg-eth0
Device=eth0
Userctl=no
Onboot=yes
Master=bond0
Slave=yes
Bootproto=none #vi ifcfg-eth1
Device=eth0
Userctl=no
Onboot=yes
Master=bond0
Slave=yes
Bootproto=none #/etc/init.d/network Restart Restart Network Service Verify the configuration information of the NIC the backup card is tagged with the noarp tag #cat/proc/net/bond0/info View bond information     3. Network Bridge (linux+ multiple network card) configuration Tool brctl http://bridge.sourceforge.net/Source package name: bridge-utils-* form Installation First step: After the autoconf similar to the source package installation. linu+ two network adapter eth0 eth1 configured to remove the eth0 eth1 of the join bridge before the Network Bridge configuration eth0/eth1 down #ifconfig eth0/eth1 0.0.0.0 u P #brctl addbr br0 #brctl addif br0 eth0 eth1 #ip li set dev br0 up #brctl showmacs br0 display Network Bridge mac
Bridge: #ip Li set dev br0 down #brctl delif br0 eth0 eth1 #brctl DELBR Network Bridge Interface can also be used for traffic control, IP-free Linux Network Bridge can have       Effective defense against the outside of the power, the Linux Network Bridge the overall control of high security ...       Put on a network Bridge application example, this example is a network Bridge expansion application ... Script Name: start_bridge.sh #!/bin/sh brctl ADDBR Net1
Brctl addif Net1 eth0
Ifconfig eth0 Down
Ifconfig eth0 0.0.0.0 up
Ifconfig Net1 192.168.5.1 up
#ip ro del 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.28 ip ro del 192.168.1.0/24
#route add-net 0.0.0.0 netmask 0.0.0.0 GW 192.168.5.2 IP route add default via 192.168.5.2
echo "1" >/proc/sys/net/ipv4/ip_forward Linux Advanced routing needs to combine iptables to fully reflect its powerful function, the actual work of most of the applications based on this, of course, to master the Linux advanced routing + Iptables also need to further strengthen the application of learning and practice ...--------------------------------------------------------------IP rule

IP basic Commands:
IP Link list shows IP links state information
IP address show except for all network addresses
IP route Show main routing table information
IP neigh Show Neighbor table
Linux System Routing Table
Linux can be customized from 1-252 routing tables,
The Linux system maintains 4 routing tables:
0# Table System Reservation table
253# Tables Defulte table The default routes that are not specifically specified are placed in the change table
254# Tables Main Table does not indicate that all routes of the routing table are placed in the table
255# tables Locale table save local interface address, broadcast address, NAT address by system maintenance, user must not change
There are two ways to view the routing table:
IP Route List Table Table_number
IP Route List Table table_name
The correspondence between the routing table ordinal and the table name in/etc/iproute2/rt_tables, you can edit it manually
The routing table is added and immediately takes effect, as the following example
IP route add defaults via 192.168.1.1 Table 1 adds a default route to the list of 192.168.1.1
IP route add 192.168.0.0/24 via 192.168.1.2 table 1 adds a route to the 192.168.0.0 segment in a table for 192.168.1.2
Note: The routing table should indicate the default route, as far as possible not back Challo by the table. Routing is complete and can be applied in routing rules.
Second, one of the most advanced route routing rules IP rule
When routing, a match is made according to routing rules, and the priority (PREF) is matched from low to high until an appropriate rule is found. Therefore, it is necessary to configure the default route in the application.
IP rule shows routing rules
Add a Routing rule
IP rule add from 192.168.1.10/32 table 1 pref 100
If the pref value is not specified, it is inserted before the minimum ordinal of an existing rule
Note: If the routing rule is to be completed immediately, the #ip route flush cache should be executed. Refreshing route buffering
The parameters can be resolved as follows: &n
from-Source Address
to-Destination Address (this is used when selecting a rule, also used when locating a routing table)
Tos-ip Header's TOS (type of sevice) domain Linux Advanced routing-
dev-Physical Interface
Fwmark-iptables Label
Actions taken in addition to specifying the routing table, you can specify the following actions:
Table indicates which tables are used
Nat Transparent Gateway

Prohibit discards the package and sends the COMM. Adm. ICMP information for prohiited
Reject simply discard the package
Unreachable discards the package and sends the ICMP information for NET unreachable
The specific format is as follows: more powerful, more flexible to use, it enables network administrators to not only
USAGE:IP Rule [List | add | del] SELECTOR ACTION
SELECTOR: = [from PREFIX] [to PREFIX] [tos tos] [dev STRING] [pref number]
ACTION: = [table table_id] [NAT address] [prohibit | reject | unreachable]
[Flowid CLASSID]
table_id: = [local | main | default | new | Number]
IP Ruel Configuration instance:
IP route del default
IP route add default via 192.168.33.1
IP rule add from 192.168.2.6 pref 1000 lookup Cnline
IP rule add from 192.168.2.4 pref 1000 lookup Cnline
IP rule add from 192.168.2.32 pref 1000 lookup Cnline
IP rule add from 192.168.2.227 pref 1000 lookup Cnline
IP rule add from 192.168.2.100 pref 1000 lookup Cnline
IP rule add from 192.168.2.101 pref 1000 lookup Cnline
IP rule add from 192.168.2.107 pref 1000 lookup Cnline
IP rule add from 192.168.2.55 pref 1000 lookup Cnline
IP rule add from 192.168.2.56 pref 1000 lookup Cnline
IP rule add from 192.168.2.189 pref 1000 lookup Cnline
IP rule add from 192.168.2.190 pref 1000 lookup Cnline
IP rule add from 192.168.2.191 pref 1000 lookup Cnline
IP rule add from 192.168.2.192 pref 1000 lookup Cnline
IP rule add from 192.168.2.193 pref 1000 lookup Cnline
IP rule add from 192.168.2.194 pref 1000 lookup Cnline
IP rule add from 192.168.2.195 pref 1000 lookup Cnline
IP rule add from 192.168.2.196 pref 1000 lookup Cnline
IP rule add from 192.168.2.197 pref 1000 lookup Cnline
IP rule add from 192.168.2.198 pref 1000 lookup Cnline
#ip route add 192.168.0.0/24 via 192.168.33.1 table Cnline
IP route add 58.14.0.0/15 via 192.168.33.1 table Cnline
IP route add 58.16.0.0/16 via 192.168.33.1 table Cnline

Turn from: http://www.unixnotes.net/ip-rule.html?replytocom=25

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.