Chris Bullock wrote:
We have a fairly static network with about 8 subnets and roughly 5
different points of access to the outside world. We are using a Linux PC
full of nics and doing strictly static routing. We have an application
that the university needs access to at fiber speed, the hospital has
access to the university and we have access to the hospital, so therefore
we are routing to the university through the hospital (university <-->
hospital <--> our office. Long story short we have asked the hospital to
somewhat protect us from the university by implementing ACLs on their PIX,
this gives the university access to our services but blocks my users from
hitting the university's services since my router points all university
traffic through the hospital. Now my question, I have tried to understand
the policy routing built into Linux but keep beating my head against the
wall due to my lack of brains. Here is what I have, I have a macro I run
that has all my static routes listed, what I want to do is via command
line, not a table, tell my traffic that to go to 150.216/16 go out our
broadband connection not our hospital gateway.
Three observations here:
- What you're asking for means the traffic doesn't go fast...
The university is 150.216.0.0/16, and if you "tell my traffic that to go
to 150.216/16 go out our broadband connection not our hospital gateway",
then of course things won't be very fast when talking back to those
users from the university who are connecting through the hospital.
Somehow I think you're asking for a sub-portion of your traffic to do
this, but you don't describe which portion, so I can't formulate a
confident answer.
- A simple route is all you need
Disregarding the above point, to do what you're really asking, all you
need is a simple route like this:
route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254
Although, if that's your default gateway, unless there some other
more-specific route that overrides it, that should be the default
behavior? I suspect though, as mentioned above, this isn't really what
you're asking.
- What do you mean "what I want to do is via command line, not a table,
tell my traffic that"
Policy routing is enabled via "rules" created by the `ip` command which
shunt traffic to specific route "tables", also setup via `ip`. That's
simply how it's implemented. You build these alternate route tables
from the command line, with successive commands. You can optionally
attach particular text tags to them via config files, but that's not
particularly required if you'd prefer to stick to simple straight
commands. I'm going to go out on a limb here, and think you probably
want to route the traffic from Network A differently from how you route
the traffic from Network B. Generally, Network B is routed how you want
to route most traffic, so I'll propose a config that just makes a small
change to the route taken by traffic flowing *from* A *to* University.
Something like this might serve your needs:
# ip rule add from 150.216.0.0/16 table 100
# ip route add default gw 10.254.254.254 table 100
This effectively says, for all traffic coming from 150.216.0.0/16, use
routing table 100, instead of the "main" routing table. And then
includes a single default route for that table, which shunts traffic to
10.254.254.254. If this isn't what you had in mind, provide a little
more info and I'll see if I can point you in the right direction. I
should mention you need to have the appropriate advanced routing and
policy routing bits enabled in your kernel for this to work. Most
modern distros do have this enabled.
Aaron S. Joyner
Policy-routing-wonk
University = 150.216.x.x
network A = 10.1.x.x
network B = 10.2.x.x
hospital gw = 10.254.254.254
office Internet gw = 10.2.x.254
The university needs access to network A, network A never needs to access
the internet only the university,
network B needs to access the university but can not access it through the
hospital due to firewall rules, it can only access it though my office
internet gateway.
Regards,
Chris
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
