EKAKJ

November 21, 2007

Routing Using Packet Marking

Filed under: linux — ekakj @ 4:54 pm

Before You Start

IP network addresses are given to you by your Internet Service Provider, your leased line carrier, or by ARIN. If you do not plan to connect you network to the Internet, you can use an IP network address set aside for private use. The IP network address for private use can be found in RFC 1597. Most people will use 192.168.0.0 as we have in this example.

Configuring Packet Marking

In this example, we are going to assume the following:

  • Ethernet0 has an IP address of 192.168.1.100 with a netmask of 255.255.255.0
  • Serial0 has an IP address of 192.168.54.1 with a netmask of 255.255.255.252
  • Serial1 has an IP address of 192.168.64.1 with a netmask of 255.255.255.252

The IP addresses used in this Technical Note are examples only. You will need to use an IP network given to you by your Internet Service Provider.

Router A

!
 version 2.00
!
interface Ethernet0
 ip address 192.168.1.100 255.255.255.0
!
interface Serial0
 description Connection to Router B
 encapsulation hdlc
 ip address 192.168.54.1 255.255.255.252
!
interface Serial1
 description Connection to Router C
 encapsulation hdlc
 ip address 192.168.64.1 255.255.255.252
!
# Add a default route through 192.168.1.1
 ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
end

In our example above, we will be configuring “Router A” to route Web traffic on port 80 from its internal network out Serial0 and POP3 on port 110 traffic out Serial2. Keep in mind that this alternate routing path may require other network design changes on your network. This example assumes that the remote routers on Serial0 and Serial1 know how to route traffic for the 192.168.1.0/24 network.

Unlike the simple Source Routing example, we cannot route ALL traffic from 192.168.1.0/24 out a particular interface. ImageStream routers support packet marking, an extension to Linux iptables that allows you to associate a special value (”packet mark”) with a packet as it passes through the router. The packet mark does not alter the packet in any way. It is an internal value maintained by the Linux kernel, but can be used to classify packets for further action. First, we need to edit the firewall configuration to mark the packets that we want to re-route. To edit the configuration, follow these steps:

  1. At the Login: prompt, enter root.
  2. At the Password: prompt, enter your password.
  3. Choose Option 1 (Configuration and Update Menu) from the Main Menu. Select Option 4 (Firewall and QOS configuration).
  4. Choose Option 2 (Firewall configuration) from the menu. Select Option 1 (Configure firewall rules).
  5. Add the packet marking rules for your network to this file. iptables Firewalls process rules in the order in which they appear in your configuration. Before adding the rules, carefully analyze where in the ruleset they should appear.

The completed file for our example should look like this:

# Packet marking should be done as early as possible (PREROUTING chain) to allow maximum flexibility
# Packet marks are numeric and can be any value
# Addition and subtraction operations ("+1", "-1") may be used with marks
#
# Mark Web traffic with a value of "80"
iptables -t mangle -A PREROUTING -j MARK --set-mark 80 -p tcp --dport 80

# Mark POP3 traffic with a value of "110"
iptables -t mangle -A PREROUTING -j MARK --set-mark 110 -p tcp --dport 110

Next, we must configure routing rules to match marked packets and route them out the proper device.

  1. At the Login: prompt, enter root.
  2. At the Password: prompt, enter your password.
  3. Choose Option 1 (Configuration and Update Menu) from the Main Menu. Select Option 3 (Network interface configuration).
  4. Move to the bottom section of the configuration file (wan.conf) where the routing rules are located (Note: You may insert routes anywhere. Placing them at the end is done by convention.)
  5. Add the source routing rules

The router will match all packets marked with a value of “80″ and apply the routing rules in the user-defined routing table 200. Similarly, the router will match all packets marked with a value of “110″ and apply the routing rules in the user-defined routing table 201. You can view the routing tables by using the command “ip route show” at the Bash shell, followed by the keyword “table” and the name of the table (in this example, the tables are “main”, “200″ or “201″):

imagestream:/usr/local/sand# ip route show table main
default via 192.168.1.1 dev Ethernet0

imagestream:/usr/local/sand# ip route show table 200
default via 192.168.54.2 dev Serial0

imagestream:/usr/local/sand# ip route show table 201
default via 192.168.64.2 dev Serial1

The completed routing section of the network interface configuration file (wan.conf) for our example should look like this:

!
# Add a default route through 192.168.1.1
 ip route 0.0.0.0 0.0.0.0 192.168.1.1

# Move packets marked with "80" to a special routing table
 ip rule add fwmark 80 table 200

# Route all packets on routing table 200 via Serial0 by default
# This rule applies ONLY to table 200 and not the main table
 ip route add default dev Serial0 table 200

# Move packets marked with "110" to a special routing table
 ip rule add fwmark 110 table 201

# Route all packets on routing table 201 via Serial1 by default
# This rule applies ONLY to table 201 and not the main table
 ip route add default dev Serial1 table 201
!
end

Remember to save your configurations to flash whenever you are finished configuring source routing!

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: