Networking with Linux; source routing

[Originally posted Mar 13, 2012 5:33 AM by Antti Uitto   [ updated Mar 13, 2012 5:34 AM ]]

This was my first attempt to do anything with source routing in it, in any platform, so I may not have it all correctly, let alone being according to any best practices. Anyway I was able produce the outcome I was hoping to get. Please feel free to comment!Inspiration to this lab exercise came from the LARTC tutorial and some other articles I found from the web. (See the resources section at the bottom of this post)
And of course there is always the desire to learn more what networking things you can do with just Linux boxes!

Scope

The scope of this exercise was to create a small lab net that routes IPv4. There are two user organizations in the network that are both supposed to reach a shared resource (Internet connection via firewall) and be able to communicate with other IP addresses in their own address range.

This outcome is to be produced by using Ubuntu Linuxes as routers and iproute2 program that comes with them.

The “customer” organizations and their routing tables are called “pizza” and “kebab”.

Network diagram

What counts as a success?

“Customer” addresses in the routing table “pizza” should be able to access other addresses that are in the routing table “pizza”. They should not be able to connect to hosts that are within the table “kebab”.

All hosts should be able to reach the Internet through my firewall, via NAT.

Result

The result of this configuration was what I hoped it to be. However, on a router I can ping between the host addresses of the local router, even when they belong in different sites. I assume this is because these single host addresses are visible in the routing table named “local”.

And maby rule for “local” table is read first?

linuxlab2:~$ ip rule show
0: from all lookup local
32760: from 192.168.13.0/24 lookup kebab
32761: from 192.168.12.0/24 lookup kebab
32762: from 192.168.11.0/24 lookup kebab
32763: from 192.168.3.0/24 lookup pizza
32764: from 192.168.2.0/24 lookup pizza
32765: from 192.168.1.0/24 lookup pizza
32766: from all lookup main
32767: from all lookup default
linuxlab2
linuxlab2:~$ ip route show table local match 192.168.2.1
local 192.168.2.1 dev eth1 proto kernel scope host src 192.168.2.1
linuxlab2:~$
linuxlab2:~$ ip ro sh ta local match 192.168.2.2
linuxlab2:~$

Procedure

1. Install router hosts with ssh, vlan and bridge-utils
2. Give password for root user
3. Turn on ip forwarding
4. Give link IP’s and test connectivity
5. Create both routing tables to all routers
6. Make “customer” interfaces
7. Add them to the appropriate routing tables
8. Make static routes
8. Create ip rules to all routers (“from”-rules)
9. Give default routes to both routing tables

(you can find routing and ip rule commands later in the post)

Create new routing tables
echo 1 pizza >> /etc/iproute2/rt_tables
echo 2 kebab >> /etc/iproute2/rt_tables

“Customer” addresses

pizza
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24

kebab
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24

Notes

“Customer” site addresses are present in their own routing tables. Routing table called “main” has all the routes so that it can bring you the returning packets.

IP rules dictate that packets sourcing from “pizza” addresses are routed according to the “pizza” routing table. There are only “from” rules in my set.

The main table has no 0/0-route but the “pizza” and “kebab” tables do have it.

Configs per router

linuxlab1

“Customer” interfaces

# description pizza
auto eth3.10
iface eth3.10 inet static
address 192.168.1.1
netmask 255.255.255.0

# description kebab
auto eth3.20
iface eth3.20 inet static
address 192.168.11.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.2.2 table pizza
ip route add 192.168.3.0/24 via 10.1.3.3 table pizza
ip route add 192.168.1.0/24 dev eth3.10 table pizza
ip route add default via 10.2.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.2.2 table kebab
ip route add 192.168.13.0/24 via 10.1.3.3 table kebab
ip route add 192.168.11.0/24 dev eth3.20 table kebab
ip route add default via 10.2.2.1 table kebab
ip route add 192.168.2.0/24 via 10.1.2.2
ip route add 192.168.12.0/24 via 10.1.2.2
ip route add 192.168.3.0/24 via 10.1.3.3
ip route add 192.168.13.0/24 via 10.1.3.3
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab2

“Customer” interfaces:

# description pizza
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0

# description kebab
auto eth2
iface eth2 inet static
address 192.168.12.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 dev eth1 table pizza
ip route add 192.168.3.0/24 via 10.1.2.1 table pizza
ip route add 192.168.1.0/24 via 10.1.2.1 table pizza
ip route add default via 10.1.2.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 dev eth2 table kebab
ip route add 192.168.13.0/24 via 10.1.2.1 table kebab
ip route add 192.168.11.0/24 via 10.1.2.1 table kebab
ip route add default via 10.1.2.1 table kebab
ip route add 192.168.1.0/24 via 10.1.2.1
ip route add 192.168.11.0/24 via 10.1.2.1
ip route add 192.168.3.0/24 via 10.1.2.1
ip route add 192.168.13.0/24 via 10.1.2.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

linuxlab3

“Customer” interfaces

# description pizza
auto eth2
iface eth2 inet static
address 192.168.3.1
netmask 255.255.255.0

# description kebab
auto eth3
iface eth3 inet static
address 192.168.13.1
netmask 255.255.255.0

Configs in /etc/rc.local
#
# ROUTES
#
ip route add 127.0.0.0/8 dev lo table pizza
ip route add 192.168.2.0/24 via 10.1.3.1 table pizza
ip route add 192.168.3.0/24 dev eth2 table pizza
ip route add 192.168.1.0/24 via 10.1.3.1 table pizza
ip route add default via 10.1.3.1 table pizza
ip route add 127.0.0.0/8 dev lo table kebab
ip route add 192.168.12.0/24 via 10.1.3.1 table kebab
ip route add 192.168.13.0/24 dev eth3 table kebab
ip route add 192.168.11.0/24 via 10.1.3.1 table kebab
ip route add default via 10.1.3.1 table kebab
ip route add 192.168.1.0/24 via 10.1.3.1
ip route add 192.168.11.0/24 via 10.1.3.1
ip route add 192.168.2.0/24 via 10.1.3.1
ip route add 192.168.12.0/24 via 10.1.3.1
#
# IP RULES
#
ip rule add from 192.168.1.0/24 table pizza
ip rule add from 192.168.2.0/24 table pizza
ip rule add from 192.168.3.0/24 table pizza
ip rule add from 192.168.11.0/24 table kebab
ip rule add from 192.168.12.0/24 table kebab
ip rule add from 192.168.13.0/24 table kebab

Commands to verify and check stuff

ip rule show
ip route show
ip route show table pizza
ip route show (table pizza/kebab) match 192.168.2.5
ifconfig
ip address
ping 8.8.8.8 -I 192.168.2.1
traceroute 8.8.8.8 -s 192.168.12.1

And then what?

I don’t know. Perhaps add IPv6 to this? Is it possible? Why would it not be?
Or maby get Quagga and make these things to do dynamic routing?

Resources

http://www.linuxhorizon.ro/iproute2.html
http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/
http://lartc.org

Networking with Linux; Linux Advanced Routing & Traffic Control HOWTO

[Originally posted Mar 13, 2012 4:55 AM by Antti Uitto]

Great resource:

Linux Advanced Routing & Traffic Control HOWTO

http://lartc.org/lartc.html

As I said, Linux is a powerful tool for network-related stuff. 
The link above is to an extensive HOWTO article about routing and other networking services available in most Linux distributions. 

Here is a nice one that I tried on my own router host.

If you are hosting Internet gateway for some community, put this to the interface from where the traffic returns to their LAN:

sudo tc qdisc add dev eth1 root tbf rate 64kbit latency 50ms burst 128kbit

They’ll love you for it! 🙂