I have finished my Labs using IP Route Version 2 or iproute2, despite the configuration at the end (very simple) it took me a lot of work to figure it all, and I have to use several scripts to put all together. At the end I have 2 main scripts, one for routing and one for firewall and nats.
First I would like to clear some questions I found on the internet.
Does IProute2 will work using 2 or more interfaces as DHCP clients?
Yes, I have it configure, you will just have to re-run the network script when the IP address's change, maybe a next lab, On the Script you just have to define the interfaces the GW and IP address does not need to be know.
Do I have to MAP the MAC address to make it work?
No, altough its is good security practice, its not really need it.
If I have to gateways defined when I use netstat -nr, the routing goes down?
Yes, unless you use IProute2, in that case both gateways are ignored, feature need it for DHCP interfaces.
Now, lest start with the configuration. The Network diagram I use to make this work is below, among with the interface name, I added the script Variable name just for reference:
We need iproute and networking (default installed) how to install:ii iproute 20080725-2 networkis
ii net-tools 1.60-22 The NET-tOnce again, here is mi Initial configuration, including how the netstat -nr table looks having 2 GWs. In order to make it run.
All this work was dond on a Soekris box !, the interface ath0 was configured in a WAP Wirelss connection.
ath0 - DCHP configured (155.17.122.x)
eth0 - DHCP configured (192.168.1.x)
eth1 - 10.10.10.254/24
eth2 - 172.16.32.254/24
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0
155.17.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
0.0.0.0 155.17.122.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 ath0On the SOAD-IProute-2.sh you will just have to modify the interfaces with Internet access, the networks will share the internet and the Table's names.
Table1="Perot"
Dev1="eth0
Table2="NocDell"
Dev2="ath0"
#LocalNetworks to Avoid NAT
Net11="10.10.10.0/24"
Net21="172.16.32.0/24"#Delete routes
ip rule del from $Net11 to $Net11 2> NULL
ip rule del from $Net21 to $Net21 2> NULL
ip rule del from $Net21 to $Net11 2> NULL
ip rule del from $Net11 to $Net21 2> NULL
#Add routes
ip rule add from $Net11 to $Net11 table main pref 3
ip rule add from $Net21 to $Net21 table main pref 4
ip rule add from $Net21 to $Net11 table main pref 5
ip rule add from $Net11 to $Net21 table main pref 6. /etc/init.d/SOAD-IProute-2.sh .The firewall script will NAT using the external IP address for each internet access, I have commented on the script the Logging rules, enable it when you need to debug the connections, and review you dmesg.
#iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \
# LOG --log-prefix "NAT Internet Perot"
iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \
SNAT --to-source $IP1
#iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \
# LOG --log-prefix "NAT Internet NocDell"
iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \
SNAT --to-source $IP2Now the explanation about how IProute2 will work, First we need the Table names defined.
echo 1 $Table1 >> /etc/iproute2/rt_tables
echo 2 $Table2 >> /etc/iproute2/rt_tablesWe will have two routing tables on the Soekris box (linux), each routing table with his own default GW. We do this by running:
ip route add default via $Gw1 dev $Dev1 table $Table1
ip route add default via $Gw2 dev $Dev2 table $Table2ip rule add from $Net11 table $Table1 pref 100
ip rule add from $Net21 table $Table2 pref 101The local "No-Routing" rules are defined as:
ip rule add from $Net11 to $Net11 table main pref 3
ip rule add from $Net21 to $Net21 table main pref 4
ip rule add from $Net21 to $Net11 table main pref 5
ip rule add from $Net11 to $Net21 table main pref 6Now we undestand IProute2 and have the variables on the script set up, we just need to run:
./SOAD-IProute-2.sh start
Advance Routing Starting ....:.
./SOAD-Firewall_Start.sh start
Starting Firewall and NAT Rules:.-- Network routing Status
# ./SOAD-IProute-2.sh status
-------------------------------
Print Table --Perot ---
Interface eth0 - 155.17.122.192
Route for Perot
default via 155.17.122.1 dev eth0
Rules for Perot
100: from 10.10.10.0/24 lookup Perot
-------------------------------
Print Table --NocDell ---
Interface ath0 - 192.168.1.231
Route for NocDell
default via 192.168.1.254 dev ath0
Rules for NocDell
101: from 172.16.32.0/24 lookup NocDell
-------------------------------
Print Table -- Main ---
Route for Main
192.168.1.0/24 dev ath0 proto kernel scope link src 192.168.1.231
155.17.122.0/24 dev eth0 proto kernel scope link src 155.17.122.192
172.16.0.0/16 dev eth2 proto kernel scope link src 172.16.32.254
10.0.0.0/8 dev eth1 proto kernel scope link src 10.10.10.254
default via 155.17.122.1 dev eth0
default via 192.168.1.254 dev ath0
Rules for Main
3: from 10.10.10.0/24 to 10.10.10.0/24 lookup main
4: from 172.16.32.0/24 to 172.16.32.0/24 lookup main
5: from 172.16.32.0/24 to 10.10.10.0/24 lookup main
6: from 10.10.10.0/24 to 172.16.32.0/24 lookup main
32766: from all lookup main
. Nat rules.
# ./SOAD-Firewall_Start.sh status
-------------------------------
Print NAT Table For Perot and NocDell---
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 10.10.10.0/24 anywhere to:155.17.122.88
SNAT all -- 172.16.32.0/24 anywhere to:192.168.1.231Cat SOAD-Firewall_Start.sh
#!/bin/bash
#Firewall Script for Advance Routing Version 1.5
#Distributed under the terms of the GNU General Public Licence V2
#Writted by Jose Valdivia
#domingovaldivia@gmail.com
. /etc/init.d/SOAD-IProute-2.sh .
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Starting Firewall and NAT Rules"
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
#Starting NAT Rules
#iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \
# LOG --log-prefix "NAT Internet Perot"
iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \
SNAT --to-source $IP1
#iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \
# LOG --log-prefix "NAT Internet NocDell"
iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \
SNAT --to-source $IP2
log_end_msg 0
;;
stop)
log_daemon_msg "Clearing Configurations"
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
log_end_msg 0
;;
status)
echo -e "\n-------------------------------"
echo -e "Print NAT Table For $Table1 and $Table2---\n"
iptables -t nat -L POSTROUTING
log_end_msg 0
;;
esac
exit 0
Cat SOAD-IProute-2.sh
Source: http://soad1982.blogspot.com/2010/02/advance-routing-on-linux.html#!/bin/bash
#Advance Routing Version 2.0
#Distributed under the terms of the GNU General Public Licence V2
#Writted by Jose Valdivia
#domingovaldivia@gmail.com
Table1="Perot"
Dev1="eth0"
Gw1=`ip route show table main | grep default | grep $Dev1 | awk '{print $3}'`
IP1=`ifconfig $Dev1 | grep "inet addr" | awk -F : '{print $2}' | awk '{print $1}'`
Table2="NocDell"
Dev2="ath0"
Gw1=`ip route show table main | grep default | grep $Dev2 | awk '{print $3}'`
IP2=`ifconfig $Dev2 | grep "inet addr" | awk -F : '{print $2}' | awk '{print $1}'`
#LocalNetworks to Avoid NAT
Net11="10.10.10.0/24"
Net21="172.16.32.0/24"
. /lib/lsb/init-functions
case "$1" in
start)
log_daemon_msg "Advance Routing Starting ...."
ip rule del from $Net11 to $Net11 2> NULL
ip rule del from $Net21 to $Net21 2> NULL
ip rule del from $Net21 to $Net11 2> NULL
ip rule del from $Net11 to $Net21 2> NULL
ip rule del table $Table1 2> NULL
ip rule del table $Table2 2> NULL
Ip route del $Table1 2> NULL
ip route del $Table2 2> NULL
ip route flush cache 2> NULL
#Rebuild rt_tables file
echo "255 local" > /etc/iproute2/rt_tables
echo "254 main" >> /etc/iproute2/rt_tables
echo "253 default" >> /etc/iproute2/rt_tables
echo "0 unspec" >> /etc/iproute2/rt_tables
##################################
#Create Entry need it for tables recognition.
echo 1 $Table1 >> /etc/iproute2/rt_tables
echo 2 $Table2 >> /etc/iproute2/rt_tables
ip rule add from $Net11 to $Net11 table main pref 3
ip rule add from $Net21 to $Net21 table main pref 4
ip rule add from $Net21 to $Net11 table main pref 5
ip rule add from $Net11 to $Net21 table main pref 6
#Routing and Rules for Table1
ip route add default via $Gw1 dev $Dev1 table $Table1 2> NULL
ip rule add from $Net11 table $Table1 pref 100
#Routing and Rules for Table2
ip route add default via $Gw2 dev $Dev2 table $Table2 2> NULL
ip rule add from $Net21 table $Table2 pref 101
log_end_msg 0
;;
stop)
log_daemon_msg "Clearing Configurations"
ip rule del from $Net11 to $Net11 2> NULL
ip rule del from $Net21 to $Net21 2> NULL
ip rule del from $Net21 to $Net11 2> NULL
ip rule del from $Net11 to $Net21 2> NULL
ip rule del table $Table1 2> NULL
ip rule del table $Table2 2> NULL
ip route del $Table1 2> NULL
ip route del $Table2 2> NULL
ip route flush cache 2> NULL
#Rebuild rt_tables file
echo "255 local" > /etc/iproute2/rt_tables
echo "254 main" >> /etc/iproute2/rt_tables
echo "253 default" >> /etc/iproute2/rt_tables
echo "0 unspec" >> /etc/iproute2/rt_tables
##################################
log_end_msg 0
;;
status)
#Routing and Rules for Table2
echo -e "\n-------------------------------"
echo -e "Print Table --$Table1 ---\n"
echo -e "Interface $Dev1 - $IP1"
echo -e "Route for $Table1"
ip route show table $Table1
echo -e "\nRules for $Table1"
ip rule show | grep $Table1
echo -e "\n-------------------------------"
echo -e "Print Table --$Table2 ---\n"
echo -e "Interface $Dev2 - $IP2"
echo -e "Route for $Table2"
ip route show table $Table2
echo -e "\nRules for $Table2"
ip rule show | grep $Table2
echo -e "\n-------------------------------"
echo -e "Print Table -- Main ---\n"
echo -e "Route for Main"
ip route show table main
echo -e "\nRules for Main"
ip rule show | grep main
log_end_msg 0
;;
esac
No comments:
Post a Comment