Network tips: IP address control based on routing policies

Source: Internet
Author: User
Article title: Network tips: IP address control based on routing policies. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Recently I made a set of routing policies, and I think LINUX is so powerful! So I wrote this document !!!
   I. background description
LINUX is a gateway server with three NICs
Eth1 is bound to an IP address of the IP address of this network segment can be accessed through
Eth0 is bound to the IP address the IP address of this network segment can be accessed through
Eth2 is bound to, which is the gateway of an intranet user.
   II. Demand Analysis
Intranet users should use the route to access the Internet.
However, due to work requirements, some users should have the permission to access the "private network" in the figure.
That is to say, the route should be used.
In addition, everyone should be able to access the FTP server. the IP address of this server is
That is to say, the person using route should be able to access and access the Internet.
   III. solutions
To solve this problem, several commands are used. you need to check the details for specific usage.
Ip route
Ip rule
Note: For ip command usage, please refer to the ip Chinese manual, which is available on
1. bind an IP address
Ifconfig eth1 172.17.3.x netmask
Ifconfig eth0 netmask
Ifconfig eth2 netmask
Modify the/etc/sysconfig/network-script/ifcfg-ethx file to enable the computer to automatically set the IP address.
2. create a special route table
# Reserved values
255 local
254 main
253 default
0 unspec
200 NET10
# Local
#1 inr. Ruhu
The 200 NET10 above is newly added. The custom number is 200 and the name is NET10.
3. add its own default route to the NET10 route
Ip route add default via table NET10
Note: Do not forget to write this table NET10; otherwise, it will be written to the master route table.
4. create special routing rules
Ip rule can be used to view the current routing rules of the computer.
[Quote: 710319d809]
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
We can see that the rule contains three route tables: local, main, and default.
What we usually see in route is the main route table.
These rules follow the sequence number. if they are different, they follow the next rule to know the path or the end of the process.
Start adding our own route NET10 to the route table
Ip rule add from pref 10000 table NET10
This means that if the access from the IP address is enabled
What are the routing rules of NET10? We have already set the IP address range to
Next, enable linux to use NAT (here we will not elaborate on how)
5. allow all users to access 192.168.10.xx (this IP address cannot be mentioned)
Because all the others are using the route, they cannot access 192.168.10.xx.
How can we achieve this? Add another policy!
Ip rule add to 192.168.10.xxpref 10001 table NET10
If the destination IP address is 192.168.10.xx, the NET10 route table is used temporarily.
In this way, will there be security problems? If the route changes, will they access the private network?
No, because the routing rule is to 192.168.10.xx, that is, when the target is 96, the route is used. The original route is used to access other websites.
If you access a dedicated network machine, there will be only 10. xx.
Here, we can also do a trick to not tell others the address of 192.168.10.xx, but to tell them that the service exists on the Gateway
Iptables-t nat-a prerouting-d -- dport 21-j DNAT -- to 192.168.10.xx: 21
6. prevent others from tampering with IP addresses and obtaining special permissions
Arp has a static function CM, not C. You may know that
What if I forcibly bound an IP address to a non-MAC address? Both sessions will fail!
Okay, let's take advantage of this!
First, I wrote a file iproute. c.
# Include
# Include
Main ()
Int I;
For (I = 2; I <255; I ++)
Printf ("192.168.1.% d 00: 00: 00: 00: 00: 00
", I );
Gcc iproute. c-o iproute
Compile an executable file
Note: host IP addresses should not be included, so from 2 cycles to 254 (255 is broadcast)
Second, generate a c ip address and a MAC address of all 00
Again, modify the IP-MAC match list
I don't need to elaborate on the specifics. I believe everyone will
Finally, do static IP-MAC binding
7. create a firewall and modify the main route table for security purposes.
The default route table should contain and segments.
In addition, if it is AS3, there will be a route of why don't I know? remove it.
Write a firewall tutorial and use iptables to harden your machine!
   Network topology
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.