Linux Policy Routing Basics

The basic strategy of Linux Policy Routing refers to the routing of IP packets based on the policies set by the network administrator. For example, we can have A policy like this: "select X path for all packages that come directly from Network A; select Y path for others", or "select path F for all packages whose TOS is; other selected paths K. Linux supports a maximum of 255 route tables, of which 3 are built-in: 255 Local route table (Local table) exists in the/etc/iproute2/rt_tables File) the Local interface address, broadcast address, and NAT address are both in this table. The route table is automatically maintained by the system and cannot be directly modified by the Administrator. Table 254 If the Main table does not specify the table to which the router belongs, all routes are placed in this table by default. Generally, the old routing tool (such as route) all the added routes are added to this table. It is generally a common route. Table 253 Default table generally stores all the Default routes in this table. However, if this table is specified, all the gateway routes can be used. Table 0 retention route configuration command format: Usage: ip route list SELECTOR ip ROUTE {change | del | add | append | replace | monitor} route, you can run the command: ip route list table table_number ip-6 route list table table_number (for IPv6) to perform routing operations such as change, del, add, append, replace, and monitor. For example, to add a route, you can use: router> # ip route add 0/0 via 192.168.0.4 table main router> # ip route add 192.168.3.0/24 via192.168.0.3 table 1. The first command is to the main route table) in table 254, A route is added. The route content is to set 192.168.0.4 as the gateway. The second command adds a route entry to route table 1. The subnet 192.168.3.0 (subnet mask is 255.255.255.0) and the gateway is 192.168.0.3. In a multi-route table routing system, all route operations, such as adding a route to a route table or finding a specific route in the routing table, must specify the route table to be operated, if no route table is specified, the operation is performed on the master route table (table 254) by default. In a single table system, route operations do not need to specify the route table. In Linux, Rule Configuration IP Rule can define a total of 232 priority rules. One priority level can only have one Rule, that is, theoretically there can be a total of rules. Three of the rules are default. Command Usage: ip rule [list | add | del] selectpartition tion SELECTOR: = [from PREFIX] [to PREFIX] [tos TOS] [dev STRING] [pref NUMBER] ACTION: = [table TABLE_ID] [nat ADDRESS] [prohibit | reject | unreachable] [flowid CLASSID] TABLE_ID: = [local | main | default | new | NUMBER first, we can see all the default rules of the route table: root @ netmonster # ip rule list 0: from all lookup local 32766: from all lookup main 3276 7: from all lookup default note: the smaller the number, the higher the priority, rule 0, it is the highest priority rule, rule rules, all packets, you must first use the local table (254) for routing. This rule cannot be changed or deleted. Rule 32766 specifies that all packages are routed using the Table main. This rule can be changed or deleted. Rule 32767 specifies that all packages use the table default for routing. This rule can be changed or deleted. When routing is performed by default, routes are first searched in the local routing table based on rule 0. If the destination address is the current network or broadcast address, you can find a suitable route here. If the route fails, it will match the next non-null rule. Here there is only 32766 rule, and the route will be searched in the main route table; if it fails, the 32767 rule is matched, that is, the default route table is searched. If it fails, the route will fail. Here we can see that strategic routing is forward compatible. You can also add rules: router> # ip rule add [from 0/0] table 1 pref 32800 router> # ip rule add from 192.168.3.112/32 [tos 0x10] table 2 pref 1500 prohibit the First Command will be directed to the rule add a rule to the chain, the rule matches all data packets. The action is to select the route entry in route table 1. The rule has a priority of 32800. The second command adds a rule to the rule chain. The rule matches a packet whose IP address is 192.168.3.112 and tos is equal to 0x10. Use route table 2. The rule has a priority of 1500 and the action is. After adding the rule, we can see the changes in the system rules. Router> # ip rule 0: from all lookup local 1500 from 192.168.3.112/32 [tos 0x10] lookup 2 32766: from all lookup main 32767: from all lookup default 32800: from all lookup 1 the above rule uses the source address as the keyword and serves as the basis for matching. In addition To the source address, you can also use the following information: From -- source address To -- Destination Address (this is used when you select a rule, and also used when searching the route table) in addition to specifying the table, you can also specify the following actions: table indicates the Table used by the Nat transparent gateway Action prohibit to discard the packet and send COMM. ADM. the ICMP information Reject of PROHIITED simply discards the packet Unreachable and sends the ICMP information of net unreachable.