rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:net:source_routing

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
doc:appunti:net:source_routing [2013/06/25 11:48] – [Firewall dual homed e source routing con Shorewall] niccolodoc:appunti:net:source_routing [2025/10/07 10:56] (current) – [Firewall dual homed e source routing con Shorewall] niccolo
Line 27: Line 27:
 # Special table for source routing. # Special table for source routing.
 # See /etc/network/interfaces. # See /etc/network/interfaces.
-100     eth2_tbl+102     eth2_tbl
 </file> </file>
  
Line 42: Line 42:
         broadcast 217.19.150.255         broadcast 217.19.150.255
         # gateway 217.19.150.1         # gateway 217.19.150.1
-        # Put a line "100 eth2_tbl" into /etc/iproute2/rt_tables+        # Put a line "102 eth2_tbl" into /etc/iproute2/rt_tables
         up /sbin/ip rule add from 217.19.150.6 table eth2_tbl || true         up /sbin/ip rule add from 217.19.150.6 table eth2_tbl || true
         up /sbin/ip route add 217.19.150.0/24 dev eth2 table eth2_tbl || true         up /sbin/ip route add 217.19.150.0/24 dev eth2 table eth2_tbl || true
         up /sbin/ip route add default via 217.19.150.1 table eth2_tbl || true         up /sbin/ip route add default via 217.19.150.1 table eth2_tbl || true
-        down /sbin/ip rule del from 217.19.150.6 table eth2_tbl || true 
-        down /sbin/ip route del 217.19.150.0/24 dev eth2 table eth2_tbl || true 
         down /sbin/ip route del default via 217.19.150.1 table eth2_tbl || true         down /sbin/ip route del default via 217.19.150.1 table eth2_tbl || true
 +        down /sbin/ip route del 217.19.150.0/24 dev eth2 table eth2_tbl || true
 +        down /sbin/ip rule del from 217.19.150.6 table eth2_tbl || true
 </file> </file>
  
Line 64: Line 64:
 32767:  from all lookup default 32767:  from all lookup default
 </code> </code>
 +
 +Attenzione alla **priorità delle regole** (rules)! Il numero più basso ha priorità maggiore, se non viene indicato il parametro **''priority''** nel comando **''ip rule add''** viene assegnato automaticamente un numero decrescente a partire da **32767** (unsigned int). Secondo questa priorità automatica quindi **la regola inserita per ultima ha priorità maggiore**.
  
 ====== Source IP con ip route ====== ====== Source IP con ip route ======
Line 76: Line 78:
 ip route add 78.47.114.234/32 via 62.48.51.1 src 62.48.51.127 ip route add 78.47.114.234/32 via 62.48.51.1 src 62.48.51.127
 </code> </code>
 +
 ====== Routing in base al servizio ====== ====== Routing in base al servizio ======
  
Line 93: Line 96:
 # Special table for source routing. # Special table for source routing.
 # See /etc/network/interfaces. # See /etc/network/interfaces.
-100     eth2_tbl+102     eth2_tbl
 </file> </file>
  
Line 144: Line 147:
 ====== Firewall dual homed e source routing con Shorewall ====== ====== Firewall dual homed e source routing con Shorewall ======
  
-**Esempio**: collegamento a internet con due interfacce, **eth0** ADSL e **eth2** (94.94.64.138, HDSL). La rotta predefinita è su eth0, parte del traffico viene dirottato su eth2 tramite regole di ''iptables''.+**Esempio**: collegamento a internet con due interfacce, **eth0** (217.58.174.226, ADSLe **eth2** (94.94.64.138, HDSL). La rotta predefinita è su eth0, parte del traffico viene dirottato su eth2 tramite regole di ''iptables''. La **LAN** 10.22.20.0/24 è collegata su **eth1**.
  
 Queste le accortezze da utilizzare: Queste le accortezze da utilizzare:
  
   * In **''/etc/shorewall/interfaces''** si indicano le due interfacce collegate alla zona **net**.   * In **''/etc/shorewall/interfaces''** si indicano le due interfacce collegate alla zona **net**.
-  * In **''/etc/shorewall/shorewall.conf''** si imposta **''ROUTE_FILTER=No''**, altrimenti il traffico in uscita dalla eth2 viene filtrato come //martian source//.+  * In **''/etc/shorewall/shorewall.conf''** si imposta **ROUTE_FILTER=No**, altrimenti il traffico in uscita dalla eth2 viene filtrato come //martian source//. 
 +  * In **''/etc/shorewall/interfaces''** **NON** ci deve essere l'opzione **routefilter=1** (misura anti-spoofing), per lo stesso motivo di cui sopra. **ATTENZIONE**: Se in ''shorewall.conf'' c'è l'opzione ''ROUTE_FILTER=Yes'', impostare qui ''routefilter=0'' non è sufficiente. 
 +  * In **''/etc/shorewall/interfaces''** è opportuno avere l'opzione **sourceroute=0** (parametro accept_source_route del kernel) sulle interfacce collegate a peer non fidati (connessioni ISP, ecc). 
 + 
 +**''/etc/shorewall/interfaces''** 
 + 
 +<file> 
 +# Dual-homed external interfaces require global ROUTE_FILTER=No in shorewall.conf. 
 +# The safe policy for connections with untrusted peers is to set accept_source_route to 0. 
 +# Notice: source route packets are nonsensical on a PPP link. 
 +accept_source_route = 0 
 +net    eth0    tcpflags,nosmurfs,sourceroute=0 
 +net    eth2    tcpflags,nosmurfs,sourceroute=0 
 +# Enable route filter (rp_filter kernel paramter) specifically on the local interface. 
 +loc    eth1    dhcp,routefilter=1 
 +</file>
  
 **''/etc/iproute2/rt_tables''** **''/etc/iproute2/rt_tables''**
Line 156: Line 174:
 # Special table for source routing. # Special table for source routing.
 # See /etc/network/interfaces. # See /etc/network/interfaces.
-100     eth2_tbl+102     eth2_tbl
 </file> </file>
  
Line 169: Line 187:
         # gateway 94.94.64.137         # gateway 94.94.64.137
         up /sbin/ip rule add from 94.94.64.138 table eth2_tbl || true         up /sbin/ip rule add from 94.94.64.138 table eth2_tbl || true
-        up /sbin/ip rule add fwmark 100 table eth2_tbl || true+        up /sbin/ip rule add fwmark 102 table eth2_tbl || true
         up /sbin/ip route add 94.94.64.136/29 dev eth2 table eth2_tbl || true         up /sbin/ip route add 94.94.64.136/29 dev eth2 table eth2_tbl || true
         up /sbin/ip route add default via 94.94.64.137 table eth2_tbl || true         up /sbin/ip route add default via 94.94.64.137 table eth2_tbl || true
         down /sbin/ip route del default via 94.94.64.137 table eth2_tbl || true         down /sbin/ip route del default via 94.94.64.137 table eth2_tbl || true
         down /sbin/ip route del 94.94.64.136/29 dev eth2 table eth2_tbl || true         down /sbin/ip route del 94.94.64.136/29 dev eth2 table eth2_tbl || true
-        down /sbin/ip rule del fwmark 100 table eth2_tbl || true+        down /sbin/ip rule del fwmark 102 table eth2_tbl || true
         down /sbin/ip rule del from 94.94.64.138 table eth2_tbl || true         down /sbin/ip rule del from 94.94.64.138 table eth2_tbl || true
 </file> </file>
  
-**''/etc/shorewall/masq''**+**''/etc/shorewall/snat''** (per il nuovo Shorewall v.5)
  
 <file> <file>
-eth0                    10.22.20.0/24                                           # LAN to internet via HDSL +SNAT(217.58.174.226)    192.168.1.0/24   eth0    # LAN to internet via HDSL 
-eth2                    10.22.20.0/24   94.94.64.138                            # LAN to internet via ADSL+SNAT(94.94.64.138)      192.168.1.0/24   eth2    # LAN to internet via ADSL
 </file> </file>
  
 +**''/etc/shorewall/masq''** (per il vecchio Shorewall v.4)
 +
 +<file>
 +eth0    10.22.20.0/24       # LAN to internet via HDSL
 +eth2    10.22.20.0/24       # LAN to internet via ADSL
 +</file>
  
 **''/etc/shorewall/start''** **''/etc/shorewall/start''**
  
 <file> <file>
-Mark some traffic to be routed via eth2. +Packets source-routed via eth2 must use eth2 source address, 
-iptables -A PREROUTING -t mangle ! -d 62.48.51.0/24 -i eth1 --proto tcp --dport 80  -j MARK --set-mark 100 +# otherwise source address for default gateway is used
-iptables -A PREROUTING -t mangle ! -d 62.48.51.0/24 -i eth1 --proto tcp --dport 443 -j MARK --set-mark 100+iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 94.94.64.138 
 + 
 +# For connections originating from eth1 LAN. 
 +iptables -A PREROUTING -t mangle -i eth1 --proto tcp --dport 22  -j MARK --set-mark 102 
 +iptables -A PREROUTING -t mangle -i eth1 --proto tcp --dport 80  -j MARK --set-mark 102 
 + 
 +# For locally geneated connections. 
 +iptables -A OUTPUT -t mangle --proto tcp --dport 22 -j MARK --set-mark 102
 </file> </file>
  
doc/appunti/net/source_routing.1372153685.txt.gz · Last modified: by niccolo