Policy-based routing is more powerful and more flexible than traditional routing, enabling network administrators to select a forwarding path based not only on the destination address but also on the message size, application, or IP source address. In the practical network application, the freedom of this kind of choice is still very needed. Linux has implemented Policy Routing support from the 2.1 version of the kernel, and here's a configuration example to help readers.
Instance background
As shown in the figure, two intranet through the remote Router 1 and the Internet, through the remote Router 2 connected to the superior network, the Linux server to do the policy router, with 4 network cards. The IP address is assigned as shown in the table.
In terms of application requirements, intranet 1 allows Internet access via remote Router 1 (172.22.254.254), but only HTTP protocols, FTP protocols are allowed, and other protocols are open for a period of time (to prevent employees from playing online games and chatting during work hours), such as during office hours ( 7:30~16:30) closed, in the work hours (16:30~7:30) and week Six Sunday open all day. Furthermore, intranet 1 has no access to intranet 2 and superior network, but can access the server on Intranet 2. and allow intranet 2 access to the extranet, the superior network can only access the Intranet 2 192.168.1.2 server. The firewall is mainly used to prevent the external network to actively access the intranet, to prevent network attacks.
Implementation process
Here we select the red Hat Enterprise Linux WS 3 operating system, its kernel version is 2.4.21, has good support for Policy routing, and the following configuration is based on this.
1. Set IP Address
First, execute the following command:
Ifconfig eth0 10.89.9.1 netmask 255.255.255.0
Ifconfig eth1 192.168.1.1 netmask 255.255.255.0
Ifconfig eth2 172.22.254.14 netmask 255.255.255.0
Ifconfig eth3 10.140.133.14 netmask 255.255.255.0
In order for the computer to automatically set the IP address when it is started, you also need to modify the four files under/etc/sysconfig/network-scripts/separately: Ifcfg-eth0, Ifcfg-eth1, Ifcfg-eth2, Ifcfg-eth3, Set the Onboot property to Yes, or "Onboot=yes," with the following file format:
# Intel Corp. 82545EM Gigabit Ethernet Controller (Copper)
Device=eth0
Bootproto=none
hwaddr=00:0c:76:20:54:71
Onboot=yes
Type=ethernet
Userctl=yes