Recent Changes - Search:

Source Routing in Linux

Also known as Source Policy Routing is used to route packets depending the origin of the packet. The basic concept is to provide a customized routing table for each host (or network) which reflect the routes that host (or network) should use. These customized routing tables are matched by source, achieving the required routing of packets. It is important to be clear about the hierarchy of tables in order to avoid the duplication of large routing tables.

Example 1: Forcing a host/network to use a specific route.

Source: http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE
Source: http://www.linuxhorizon.ro/iproute2.html

Create the new table.

echo 10 TABLE_NAME >> /etc/iproute2/rt_tables

The first number (10) indicates the table id within all the tables used by iproute2 to route packets.

Add the routing rule to use the new table for the specific source host/network. 

ip rule add from SOURCE table TABLE_NAME

or by specifying a priority 

ip rule add prio PRIORITY from SOURCE table TABLE_NAME

being PRIORITY a number from 1 to 32767 

ip rule add from SOURCE table TABLE_NAME

Check the new routing table in the iproute2 table list: 

#ip rule ls
root@nlhpc-1:/home/jcm# ip rule ls
0:	from all lookup local 
32765:	from SOURCE lookup TABLE_NAME
32766:	from all lookup main 
32767:	from all lookup default 
root@nlhpc-1:/home/jcm#

Add the new route to be used to forward packets comming from SOURCE. 

ip route add TARGET via GW_IP table TABLE_NAME

Verify the new routing table. 

#ip route list table TABLE_NAME
TARGET via GW_IP dev DEV

Verify the routing by pinging the TARGET host or an ip within the TARGET network. Packets should be routed via IP_GW instead of the routes in the other tables (main, default, etc).

Rationale

As mentioned before, the basic idea is to include a new routing table before the already existing routing tables used by iproute2 to route packets. So, when routing packets from SOURCE, the route lookup will be performed, first, in this new table, and if the lookup fails (no hit), iproute2 will perform the lookup in the other tables according to the priority informed in the file /etc/iproute2/rt_tables. In this way, a policy routing scheme is established. We say "policy" since it establish a priority for route lookup, allowing the network administrator to implement safely new routes without affecting the already existing routes.

Verification.

With respect to the verification of the routing, always it is possible to use the traceroute application. However, as it is common to find UDP traffic blocked in routers, the traceroute might not be useful to determine whether the routing table is being used or not. To cope this problem, a network sniffer is very useful. As we are talking about routing with linux, it is possible to load a sniffer as tcpdump or tshark and peek the interface from where the packets should be departing from. Notice also that it is common to consider these tools (snifers) as security problems, so, it is strongly recommended to uninstall them after being used.