Linux-iptables-route-rule

Source: Internet
Author: User
Tags iptables

Details:

Http://www.mamicode.com/info-detail-1412618.html, there's a paste at the back.

Linux System route table Linux altogether 0-255 route tables Linux can be customized from 1-252 route tables,
The Linux system maintains 4 routing tables:
0 Table system Reserved table 255 Local local routing table, with native interface address, broadcast address, and NAT address.
The local table is automatically maintained by the system and the administrator cannot manipulate the table.
254 Main main route table, traditional route table, IP route if not specified table is the Operation table 254.
Note: The route that is set by this table is also used in route viewing.
The default route table for 253 is typically stored in the defaults route.
Note: The table in the Rt_tables file is distinguished by numbers, preserving up to 255 tables.
There are two ways to view the routing table:
IP Route list/show Table Table_number
IP Route list/show table table_name the corresponding relationship between the routing table ordinal and the table name in/etc/iproute2/rt_tables, you can manually edit the routing rules IP rule for routing, according to the routing rules to match, By priority (PREF) match from low to high until a suitable rule is found, it is necessary to configure the default route in the app.
The IP rule show shows the routing rules.
Add a route rule:
# IP rule add from 192.168.1.10/32 table 1 pref 100
If the pref value is not specified, it will be inserted before the existing rule minimum ordinal
Note: After creating the routing rule, you must execute the #ip route flush cache to flush the route buffer if it is required to take effect immediately. The command format is as follows:
USAGE:IP Rule [List | add | del] SELECTOR ACTION
SELECTOR: = [from PREFIX] [to PREFIX] [tos tos] [dev STRING] [pref number]
ACTION: = [table table_id] [Nat ADDRESS] [prohibit | reject | unreachable]
[Flowid CLASSID]
table_id: = [local | main | default | new | Number]
The parameters are resolved as follows:
From-Source Address
To--the destination address (which is used when selecting rules, and also used when locating routing tables)
TOS--IP header tos (type of sevice) domain Linux Advanced routing-
Dev--Physical interface
Fwmark--iptables label
Action taken in addition to specifying the routing table, you can also specify the following actions:
Table indicates which tables are used
Nat Transparent Gateway
Prohibit discards the package and sends the COMM. Adm. ICMP information for prohiited
Reject simply discard the package
Unreachable discards the packet and sends the NET unreachable ICMP information
After the routing table is added, you can add routes within the Policy Routing table. Example:Company intranet requirements 192.168.0.100 within the use of 10.0.0.1 Network (telecommunications), other IP use 20.0.0.1 (netcom) internet. The first step is to add a default route to the gateway server, which, of course, is the gateway to the vast majority of IP exits. # IP route add default GW 20.0.0.1 after adding a routing table via IP route # IP route add Table 3 via 10.0.0.1 Dev EthX (EthX is the network card where 10.0.0.1 is located, 3 is the number of the routing table) after adding the IP rule Rule # IP rule add fwmark 3 table 3 (Fwmark 3 is the tag, table 3 is the top of Route table 3. This means that all data tagged with 3 use the TABLE3 routing table) and then use Iptables to mark the corresponding data: # iptables-a prerouting-t mangle-i eth0-s 192.168.0.1-192.168.0. 100-j Mark--set-mark 3 because Mangle's processing takes precedence over NAT and Fiter tables, the corresponding packet arrives and then marks it before passing the IP rule rule. The corresponding packet is routed using the corresponding routing table, and finally the routing table information is read and the packet is sent out of the gateway.

1. Basic Knowledge 1.1 Routing (Routing) 1.1.1 Routing policy (using the IP Rule command to manipulate the routing policy database)

Policy-based routing is more powerful and more flexible than traditional routing, which enables network administrators to select forwarding paths based on the destination address and the ability to choose from attributes such as message size, application, or IP source address.

IP Rule command:
    • USAGE:IP Rule [List | add | del] SELECTOR ACTION (add; del Delete; Llist list)
    • SELECTOR: = [from PREFIX packet Source address] [to PREFIX packet destination address] [TOS TOS service type] [dev STRING physical interface] [pref number] [Fwmark MARK IPTA Bles Label]
    • ACTION: = [table table_id specified routing table] [NAT address network address translation] [Prohibit discard the table | reject reject the package | Unreachable discard the package]
    • [Flowid CLASSID]
    • table_id: = [local | main | default | new | Number]

Example:

    • IP rule add from 192.203.80/24 table Inr.ruhep prio 220 routing table Inr.ruhep routes from packets with a source address of 192.203.80/24
    • IP rule add from 193.233.7.83 Nat 192.203.80.144 table 1 Prio 320 Converts the source address of a datagram with a source address of 193.233.7.83 to 192.203.80.144 and routes through table 1

When the Linux system starts, the kernel configures three default rules for the Routing policy database:

    • 0 matching any conditional query routing table local (ID 255) routing table Local is a special routing table that contains high-priority control routes for local and broadcast addresses. Rule 0 is very special and cannot be deleted or overwritten.
    • 32766 matches any of the conditional Query routing table main (ID 254) routing table main (ID 254) is a common table that contains all the non-policy routes. The system administrator can remove or override this rule with additional rules.
    • 32767 matches any condition query route table default (ID 253) The route table default (ID 253) is an empty table, which is reserved for some subsequent processing. The system uses this policy to handle packets that are not matched to the previous default policy. This rule can also be deleted.

Do not confuse routing tables and policies: Rules point to routing tables, multiple rules can reference a routing table, and some routing tables can have no policy pointing to it. If the system administrator removes all rules that point to a route table, the table is useless, but it still exists, and it disappears until all the routes inside are deleted.

(Data source)

1.1.2 Routing Table (using the IP route command to manipulate the static routing table)

The so-called routing table refers to a table stored on a router or other Internet network device that has a path to a particular network terminal, and in some cases, some metrics related to those paths. The main task of the router is to find an optimal transmission path for each packet passing through the router, and transfer the data to the destination site efficiently. Thus, the strategy of choosing the best path is the routing algorithm, which is the key of the router. In order to do this, the data of the various transmission paths are kept in the router-the routing table (Routing table), which is used for routing, and the information contained in the table determines the strategy of data forwarding. For example, the routing table is the same as the map we used to identify various routes, the routing table holds the subnet's flag information, the number of Internet routers and the name of the next router, and so on. The routing table can be divided into dynamic routing table and static route table according to the method it establishes.

Linux systems can be customized from 1-252 routing tables, where the Linux system maintains 4 routing tables:

    • 0# Table: System Reservation Table
    • 253# tables: Defulte table The default routes that are not specifically specified are placed in the change table
    • 254# table: Main table does not indicate that all routes for the routing table are placed in the table
    • 255# table: Locale table Save local interface address, broadcast address, NAT address maintained by system, user must not change

There are two ways to view the routing table:

    • IP Route List Table Table_number
    • IP Route List Table table_name

The correspondence between the routing table ordinal and the table name can be edited manually in the/etc/iproute2/rt_tables file. The routing table is added immediately, and the following is an example:

    • IP route add default via 192.168.1.1 Table 1 adds a 192.168.1.1 in a table
    • IP route add 192.168.0.0/24 via 192.168.1.2 table 1 adds a route to the 192.168.0.0 segment in the one-size table for 192.168.1.2

Take the following routing table as an example:

Destination    Netmask    Gateway          Interface    Metric0.0.0.0    0.0.0.0    192.168.123.254    192.168.123.88    1 #缺省路由, the destination address is not a packet in this routing table, through the 192.168.123.88 interface of the machine sent to the next router 192.168.123.254127.0.0.0    255.0.0.0    127.0.0.1    127.0.0.1    1        #发给本机的网络包192.168.123.0    255.255.255.0    192.168.123.68    192.168.123.68    1 #直连路由. Packets addressed to 192.168.123.0/24 are sent to the native 192.168.123.88 interface 192.168.123.88    255.255.255.255    127.0.0.1    127.0.0.1    1        #目的地址为 192.168.123.88 package is sent to the local package 192.168.123.255    255.255.255.255    192.168.123.88    192.168.123.88    1 #广播包的网段是 192.168.123.0/24, sent to 224.0.0.0    224.0.0.0    via 192.168.123.88 interface 192.168.123.88    192.168.123.88    1             #多播包, sent to 255.255.255.255 255.255.255.255 via 192.168.123.88 interface    192.168.123.68    192.168.123.68    1 #全网广播包Default gateway:192.168.123.254

Description of each field:

    • Destination: Destination network segment
    • Mask: The netmask associated with the network destination address (also known as the subnet mask). The subnet mask can be an appropriate subnet mask for the IP network address, which is 255.255.255.255 for the host route and 0.0 for the default route. 0.0. If omitted, the subnet mask 255.255.255.255 is used. When defining a route, the destination address cannot be more detailed than its corresponding subnet mask due to the relationship between the destination address and the subnet mask. In other words, if one of the subnet masks is 0, the corresponding bit in the destination address cannot be set to 1.
    • Interface: The egress IP of the router to which the destination is reached
    • Gateway: IP of the next-hop router entry, the router defines a link to the next router via the interface and gateway. Typically, interface and gateway are the same segment of the metric hop number, the quality of the route record, in general, if there are more than one route to the same destination record, the router will take the metric value of the small route

Depending on the subnet mask, there are three types of routes that can be divided:

    • Host routing: Machine routing is a route record that points to a single IP address or host name in the routing table. The Flags field for host routing is H.
Destination    Gateway       genmask        Flags     Metric    Ref    use    Iface-----------    -------     -------            -----     ------    ---    ---    -----10.0.0.10     192.168.1.1    255.255.255.255   UH       0    0      0    eth0
    • Network routing: Network routing is the Network on which the host can reach. The Flags field for network routing is n. For example, in the following example, the local host forwards packets sent to the network 192.19.12 to a router with an IP address of 192.168.1.1.
Destination    Gateway       genmask      Flags    Metric    Ref     use    Iface-----------    -------     -------         -----    -----   ---    ---    -----192.19.12     192.168.1.1    255.255.255.0      UN      0       0     0    eth0
    • Default route: When the host cannot find the destination host's IP address or network route in the routing table, the packet is sent to the default route (the default gateway). The Flags field for the default route is G.
Destination    Gateway       genmask    Flags     Metric    Ref    use    Iface-----------    ---- ---     ------------      ------    ---    ---    -----default       192.168.1.1     0.0.0.0    UG       0        0     0    eth0

You can set and view the route table with the route command, and the command format for the kernel routing table is: route [Add|del] [-net|-host] target [netmask Nm] [GW GW] [[Dev] If]

which

    • Add: Adds a routing rule, Del: Delete a routing rule,-net: The destination address is a network,-host: Destination address is a host, target: Destination network or host
    • Netmask: netmask for Destination address, GW: Gateway for routed packets through, Dev: network interface specified for routing

Like what:

    • Route add 0.0.0.0 Mask 0.0.0.0 192.168.12.1
    • Route add 10.41.0.0 Mask 255.255.0.0 10.27.0.1 metric 7

(Data Source: (1), (2), (3))

About the SRC attribute:

When a host has multiple NICs configured with multiple IPs, the source IP address can be set at routing time for the network packets it generates. Like what:

ip route add 78.22.45.0/24 via 10.45.22.1 src 10.45.22.12 (发到 78.22.45.0/24 网段的网络包,下一跳的路由器 IP 是 10.45.22.1,包的源IP地址设为10.45.22.12)。

Note that the SRC option only affects the network packets that are generated on that host. If it is a routed foreign packet and obviously it already has a source IP address, the configuration of the SRC parameter has no effect on it unless you use NAT to change it. For Neutron, the SRC in the routing table in Qrouter and QIF namespace have no practical significance, as they will only handle foreign network packets.

Static routing of 1.1.3 Routing classification

Static routing refers to routing information that is manually configured by a user or network administrator. When the topology of the network or the state of the link changes, the network administrator needs to manually modify the relevant static routing information in the routing table. Static routing information is private by default and is not passed to other routers. Of course, the network administrator can also be shared by setting up the router. Static routing is generally suitable for a relatively simple network environment, in which the network administrator is easy to understand the topology of the network, easy to set up the correct routing information.

As an example of the above topology, computers 1 and 2 cannot communicate with each other without configuring a route because 1 of packets sent to 2 do not know how to forward it after it arrives at router A. B is the same. The administrator can configure the following static routes to achieve communication between 1 and 2:

The computer configures the default gateway:

    • Computer 1: Route add default GW 192.168.1.1
    • Computer 2: Route add default GW 192.168.3.1

Router configuration:

    • R1: IP route 192.168.3.0 255.255.255.0 f0/1 (meaning: Packet with destination network address 192.168.3.0/24, sent via F0/1 Port)
    • R2: IP route 192.168.1.0 255.255.255.0 f0/1 (meaning: Packet with destination network address 192.168.1.0/24, sent via F0/1 Port)

Or

    • R1: IP route 192.168.3.0 255.255.255.0 192.168.2.2 (meaning: packet to go 192.168.3.0/24, next router IP address is 192.168.2.2)
    • R2: IP route 192.168.1.0 255.255.255.0 192.168.2.1

(Source: http://baike.baidu.com/view/911.htm)

Dynamic routing of 1.1.4 routing classification

Dynamic routing refers to the ability of routers to automatically establish their own routing table, and can be adjusted according to the actual changes in a timely manner. It is a concept relative to static routing, which means that routers can automatically set up their own routing tables based on the specific routing information exchanged between routers, and can automatically adjust them according to the changes of links and nodes. When a link between nodes or nodes in a network fails, or there are other available routes, dynamic routing can choose the best available route and continue to forward the message itself.

The common dynamic routing protocols are: Routing Information Protocol (RIP), OSPF (Open Shortest Path first Open Shortest path priority), Is-is (intermediate system-to-intermediate System , intermediate system to intermediate system), Border Gateway Protocol (BGP) is a routing protocol for an autonomous system running on TCP.

(Source: http://baike.baidu.com/view/897.htm)

1.1.5 IP rule,ip route,iptables relationship between the three

With an example to illustrate: the company intranet requirements 192.168.0.100 within the use of 10.0.0.1 Network (telecommunications), other IP use 20.0.0.1 (netcom) internet.

    1. The first thing to do is to add a default route to the gateway server, which is, of course, the gateway to the vast majority of IP routes: IP route add default GW 20.0.0.1
    2. Then add a routing table via IP route: IP route add table 3 via 10.0.0.1 Dev EthX (EthX is the network card where 10.0.0.1 is located, 3 is the number of the routing table)
    3. After adding the IP rule rule: IP rule add fwmark 3 table 3 (Fwmark 3 is the tag, table 3 is the top of Route table 3. It means that everything is tagged with 3 of the data using the Table3 routing table)
    4. Then use Iptables to mark the corresponding data: iptables-a prerouting-t mangle-i eth0-s 192.168.0.1-192.168.0.100-j Mark--set-mark 3

Because the mangle processing takes precedence over the NAT and Fiter tables, it is marked before the packet arrives, and then through the IP rule rule, the corresponding packet is routed using the corresponding routing table, finally the routing table information is read, and the packet is sent out of the gateway.

(Source: Use IP route, IP rule, iptables to configure Policy routing.) Here is a more detailed example)

Here you can see the order of NetFilter processing network packets: Receive network packets, first DNAT, then Anza by the policy, Anza by the policy-specified route table to do the route, then SNAT, and then issue the network packet.

1.1.6 Traceroute Tools

On the Linux machine, we use traceroute to know what path the host is walking from your computer to the other end of the Internet. Of course, each time a packet arrives at a similar destination (destination) by a similar starting point (source), the path may be different, but basically the route is the same. In MS Windows, the tool is tracert. In most cases, we will execute the command line directly under the Linux host system: traceroute hostname, and under Windows System is the command to execute tracert: tracert hostname.

    • Command format: traceroute [parameters] [host]
    • Command function: traceroute instruction allows you to track network packet routing path, the default packet size is 40Bytes, the user can be set separately.
    • Specific parameter format: traceroute [-dflnrvx][-f< survival value >][-g< gateway; [-i< network interface;] [-m< survival value;] [-p< communication port;] [-s< source Address;] [-t< service type;] [-w< timeout number of seconds;] [Host name or IP address] [Packet size]
    • Command parameters:
      • -D using the socket-level troubleshooting function,-f sets the size of the first detection packet's survival value TTL, the-F setting does not leave the bit,-G set the source routing gateway, up to 8, I use the specified network interface to send the packet,-I use the ICMP response to replace the UDP information,-m Sets the size of the maximum Live value TTL for the instrumented packet, which uses the IP address rather than the host name.
      • -P Sets the communication port of the UDP transport protocol,-R ignores the normal routing Table, sends the packet directly to the remote host,-s sets the IP address of the packet sent by the local host, and T sets the value of the TOS for the detection packet.
      • -V details the execution of the instruction,-W sets the time to wait for the remote host to return, and-X turns the correctness of the packet on or off.

(1) Example

[Email protected] ~]# traceroute Www.baidu.comtraceroute to Www.baidu.com (61.135.169.125), hops max, + byte packets1 192.168.74.2 (192.168.74.2) 2.606 ms 2.771 ms 2.950 MS2 211.151.56.57 (211.151.56.57) 0.596 ms 0.598 ms 0.591 MS3 211.151 .227.206 (211.151.227.206) 0.546 ms 0.544 ms 0.538 MS4 210.77.139.145 (210.77.139.145) 0.710 ms 0.748 ms 0.801 MS5 202.106 .42.101 (202.106.42.101) 6.759 ms 6.945 ms 7.107 MS6 61.148.154.97 (61.148.154.97) 718.908 MS * BT-228-025.BTA.NET.CN (202 .106.228.25) 5.177 ms7 124.65.58.213 (124.65.58.213) 4.343 ms 4.336 ms 4.367 MS8 202.106.35.190 (202.106.35.190) 1.795 ms 61.148.156.138 (61.148.156.138) 1.899 ms 1.951 MS9 * * *30 * * *

Description

    • Record by serial number starting from 1, each record is a hop, each hop represents a gateway, we see each line has three times, the unit is MS, is actually the default parameter-Q.
    • The time the gateway responds after a probe packet sends three packets to each gateway, and if you use Traceroute-q 4 www.58.com, 4 packets are sent to each gateway.
    • Sometimes when we traceroute a host, we see that some of the rows are represented by asterisks. In this case, it is possible that the firewall has blocked the return information of ICMP, so we have not got any related packet return data.
    • Sometimes we have a long delay at a certain gateway, it is possible that a gateway is more blocked, or the physical device itself. Of course, if a DNS problem, can not resolve host name, domain name, there will be a long delay phenomenon; You can add the-n parameter to avoid DNS resolution and output data in IP format.
    • If there are different network segments in the LAN, we can use Traceroute to troubleshoot the problem, whether it is the host problem or the gateway problem. If we encounter a problem through remote access to a server, we use the gateway that the Traceroute tracking packet, submitted to the IDC service provider, but also help to solve the problem, but at present, it seems difficult to solve such problems at home, that is, we found the problem, IDC service providers will not be able to help us solve.

(2) principle

The Traceroute program is designed to utilize the TTL (Time to Live) field (field) of the ICMP and IP header.

    1. First, Traceroute sends out a TTL of 1 IP datagram (in fact, each sent out for 3 40-byte packets, including the source address, destination address and Packet issued time label) to the destination, when the path on the first router (router) received this datagram, It decrements the TTL by 1. At this point, the TTL becomes 0, so the router will discard this datagram, and send back a "icmp time exceeded" message (including the source address of the IP packet, all the contents of the IP packet and the IP address of the router), Traceroute received this message, Know that this router exists on this path.
    2. Next, Traceroute sends another TTL of 2 datagram, discovering the 2nd router ...
    3. Then, each time traceroute sends out the TTL of the datagram to discover another router, the repetitive action continues until a certain datagram arrives at the destination. When datagram arrives at the destination, the host does not send back the ICMP Time exceeded message because it is already a destination, so how does traceroute know where the destination has arrived?

When Traceroute sends out a UDP datagrams to its destination, the port number it chooses to deliver is the one that the general application will not use (more than 30000), so when this UDP datagram arrives at the destination, the host sends back a "ICMP PO RT unreachable"The message, and when Traceroute receives the message, it knows that the destination has arrived. So traceroute on the server side is also no so-called daemon program. Traceroute extracts the IP address of the ICMP TTL expiry message device and makes the domain name resolution. Each time, Traceroute prints out a series of data, including the domain name and IP address of the routed device that was passed, and the time it takes each three packets to go back and forth.

(The above information is from the Internet)

Linux-iptables-route-rule

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.