Early in the management of Linux systems network, often using the ifconfig and route commands and the like, but if you are ready to start using Linux powerful policy-based routing mechanism, then please do not use such tools because these tools at all not for the powerful policy-based routing mechanism, instead of the tool is iproute. iproute This software is installed by default in the series RedHat Linux system, so you can usually find this tool. If you really can not find the software for some reason, as long as when using Fedora or CentOS Linux, in the case of networking can be successfully installed with yum install iproute command; or you can use the ip -V command to check whether the software iproute has been installed, please note again, -V argument to uppercase English letters:
[root@localhost /]# ip -V
ip utility, iproute2-ss091226
First, the management policy database
on Linux, policy-based routing policy database is managed by the ip command, discussed below, "management" aspects:
1, view the policy database
to view the contents of the policy database, you can use the command ip rule show, or you can use the ip rule ls. The following is the output obtained after executing the command, in these data, the system can see the three default rules, which correspond to the three rules default local, mail and the three default routing table.
[root@localhost /]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
2, add a rule
when you add a rule, you must first determine good "condition", "priority" and "routing table ID", after which it can perform an operation to add the rule.
Conditions
that can be used to determine the type of the data packets comply with this rule, the field can be used to match the Source IP, Destination IP, Type of Service, fwmark dev and the like, the use of these fields are as follows:
The Source IP
according to the source IP terminal which is determined with reference to the routing table data packet sent. The following two examples were noted, if the source end IP packet is 192.168.1.10, it refers to the routing table 10; if the source IP terminal of the IP network 192.168.2.0/24, it refers to the routing table 20.
ip rule add from 192.168.1.10 table 10
ip rule add from 192.168.2.0/24 table 20
Destination IP
The destination IP packets to determine which routing table reference sent. The following two examples were noted, if the purpose of the data packet is IP terminal 168.95.1.1, it refers to the routing table 10; 168.95.0.0/24 if the destination IP is the IP network, it consults the routing table 20.
ip rule add to 168.95.1.1 table 10
ip rule add to 168.96.0.0/24 table 20
fwmark
will fwmark as matching conditions, must be used in conjunction with Netfilter, it seems a lot of trouble, but it is the most flexible matching condition. As shown, there are three, a company ADSL 10-8, we hope that all HT TP protocol via the first ADS L, SMTP and POP3 through a second ADSL, ADSL remaining flow through the third. You can use the following combinations of commands to achieve this purpose:
iptables -t mangle -A FORWARD -i eth3 -p tcp --dport 80 -j MARK --set-mark 1
iptables -t mangle -A FORWARD -i eth3 -p tcp --dport 25 -j MARK --set-mark 2
iptables -t mangle -A FORWARD -i eth3 -p tcp --dport 110 -j MARK --set-mark 2
iptables -t mangle -A FORWARD -i eth3 -j MARK --set-mark 3
ip rule add fwmark 1 table 1
ip rule add fwmark 2 table 2
ip rule add fwmark 3 table 3
First, the mechanism using managle Netfilter MARK value is set for a particular packet, this value is set to the MARK HTTP packets. 1 is, SMTP and POP3 MARK value is 2 data packets, the further packets is provided MARK 3. Next, fwmark then judged according to the value of the condition MARK packet, if MARK value is 1, refers to the routing table 1 sending packets; when MAKR value of 2 refers to the routing table sending packets 2; Finally, MARK value 3 is a data packet refers to the routing table 3 is fed.
The above example is just a concept only, if you really want to complete this example reflects all the features, but also pay attention to many details, will use an example to explain in detail later in this section, as long as this first understand the concept of using a combination that is fwmark with Netfilter can.
dev
Finally, the interface can also be used as the input data packet is determined based, shown in Figure 10-9, we want all forwarded through the interface eth2 fed eth0 packet by the interface, the packet interface into eth3 eth1 forwarded by the interface. The following command combinations will be able to meet our requirements:
ip rule add dev eth2 table 1
ip rule add dev eth3 table 3
3, priorities
described earlier in the rule, "condition" of use, the next priority is to be discussed. Priority represented by numbers, which could range from 0 to 4 billion, called the astronomical figures, we can not actually set up such a large routing mechanism on a PC.
[root@localhost ~]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@localhost ~]#
[root@localhost ~]# ip rule add from 192.168.1.0/24 table 1
[root@localhost ~]# ip rule add from 192.168.2.0/24 table 2
[root@localhost ~]#
[root@localhost ~]# ip rule show
0: from all lookup local
32764: from 192.168.2.0/24 lookup 2
32765: from 192.168.1.0/24 lookup 1
32766: from all lookup main
32767: from all lookup default
As an example, we execute the ip rule show command displays the contents of the first field is the priority, the lower the number, the higher the priority level representatives, also on behalf of this rule may be the more front row, so Packets Are conditions when matched, the sooner match to this rule, from the data output, the default priority 0,32766 and 32767 have been occupied, and therefore, when you add a rule, if not specifically set the priority level, then the default priority It will start decreasing from 32766, 32765,32764 ...... such as, in particular, if we need to set priorities, you can command ip rule add the final with prio XXX parameters. As shown in the following example:
[root@localhost ~]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@localhost ~]#
[root@localhost ~]# ip rule add from 192.168.1.0/24 table 1 prio 10
[root@localhost ~]# ip rule add from 192.168.2.0/24 table 2 prio 20
[root@localhost ~]#
[root@localhost ~]# ip rule show
0: from all lookup local
10: from 192.168.1.0/24 lookup 1
20: from 192.168.2.0/24 lookup 2
32766: from all lookup main
32767: from all lookup default
Routing Table ID
Linux-based policy routing, the routing table ID is represented by, but if necessary, may also be used with the name ID table ID is translated into a name.
4, delete rules
Delete Rule manner ip command provides a very flexible, for example, to delete the following rule 2, you can use a unique value for any of the "priority", "conditions" and "routing table" which is set respectively the rules to be deleted, as follows:
ip rule del prio 10
ip rule del from 192.168.1.0/24
ip rule del table 1
ip rule del from 192.168.1.0/24 table 1 prio 10
[root@localhost ~]# ip rule show
0: from all lookup local
10: from 192.168.1.0/24 lookup 1
20: from 192.168.2.0/24 lookup 2
32766: from all lookup main
32767: from all lookup default
[root@localhost ~]#
Second, the routing table management
because the route -n command has been completely unsuitable for use in policy-based routing, therefore, route command can only operate a specific routing table, but in policy-based routing, there will be multiple routing tables at the same time, Please give up this route management tool, instead of still ip command. Next we will discuss how to use the ip command to manage the routing table.
1, check the routing table contents
before looking at the routing table, the first to use ip rule show command to see what is currently used routing table, then re-use ip route show [table id | name ] command to view the contents of the routing table. For example, you can use ip route showtable main routing table to view the contents of the main, if no routing table names (such as ip route show), will default to view the contents of the main routing table.
[root@localhost /]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@localhost /]#
[root@localhost /]# ip route show table main
10.10.15.0/25 dev eth0 proto kernel scope link src 10.10.15.46
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
default via 10.10.15.1 dev eth0
[root@localhost /]#
By default, the system has three routing table, the routing table of the three functions as follows:
local: the machine comprising a local routing table and broadcasting the routing information. For example, executed on the machine 127.0.0.1 when ssh, it will refer to the contents of this routing table, under normal circumstances, as long as the configuration of the network card is set up, it will automatically generate a table of contents local routing, we should not have to modify its contents.
main: the use of traditional command route routing table is the main content of -n see. Linux systems use default contents of this routing table to transmit data packets, therefore, its content is extremely important, under normal circumstances, as long as the configuration of the network card is set up, it will automatically generate content main routing table.
default: Finally default routing table, the contents of the routing table is empty by default; unless there are special requirements, or to keep its content is blank.
The main use of routing table contents will be explained, the following is the content of the main routing table in FIG. 10-10, since there are two NIC eth0 and eth1 on the host, and to set an IP and 192.168 respectively 10.10.15.46/25 .1.10 / 24, therefore, the first routing table. That is OK to tell the system, if a packet is to be sent to the network segment 10.10.15.0/25, directly from the data packet sent to the interface eth0, and the machine Adjacent to this segment of the IP is 10.10.15.46, the first row is set to route 192.168.1.0/24, which is exactly the same as the meaning of the first line;.. as long as more than two lines of IP network card on your computer is set up, and after the network service restarts, it will generate a default route without special settings. The last line refers to: if the packet is not sent to 10.10.15.0/25 and 192.168.1.0/24 network segment, then the packet will be forwarded to the unified 10.10.15.1 host to deal with, and what we 10.10.15.1 network configuration in set "default gateway"
[root@localhost /]# ip route show table main
10.10.15.0/25 dev eth0 proto kernel scope link src 10.10.15.46
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
default via 10.10.15.1 dev eth0
[root@localhost /]#
2, add routes
to add this route or ip command instead of using the same route command, the first embodiment using the ip route show. Main command displays the contents of the routing table, then add to the routing table using the Add command ip route desired route main in. Finally, re-use ip route show the contents of the routing table main command to print out, then you can see a route just added in the main routing table.
[root@localhost /]# ip route show table main
10.10.15.0/25 dev eth0 proto kernel scope link src 10.10.15.46
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
default via 10.10.15.1 dev eth0
[root@localhost /]#
[root@localhost /]# ip route add 192.168.2.0/24 via 10.10.15.50 table main
[root@localhost /]#
[root@localhost /]# ip route show table main
10.10.15.0/25 dev eth0 proto kernel scope link src 10.10.15.46
192.168.2.0/24 via 10.10.15.50 dev eth0
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.10
default via 10.10.15.1 dev eth0
[root@localhost /]#
If you want to add an existing route does not appear in the routing table, how to deal with it? Please have a concept here, simply add the routing table does not make sense, because the new out of the routing table, the system default is not going to be used, if you want to add a route other than the main routing table, only to add "rules "in order to determine the name of the new routing table (table ID), then a new routing table, will add a new route to the routing table.
We use the following example to illustrate this process. The first to use ip rule show. RPDB to query the current status, you can see at present only three default rule, then, and then add a rule using the ip rule add command, this time within the system, the more useful a routing table, which routing table ID is 10, we can immediately use ip route show command to view the new routing table, the contents of the default is empty, then you can add routes in this new routing table to add the route used iproute add command, we decide who comes from the 192.168.2.0/24 network data packets are routed from the eth1 interface to send data packets from the machine, therefore, must be completely written eth1 interface. First, near the interface eth1 routing filled in., Told the communication system of the machine and the network segment 192.168.1.0/24 are handled by the eth1 interface, and then fill in the routing table of the default route. Finally, use the command show ip route show 10 content routing table.
[root@localhost ~]# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
[root@localhost ~]#
[root@localhost ~]# ip rule add from 192.168.2.0/24 table 10
[root@localhost ~]#
[root@localhost ~]# ip route show table 10
[root@localhost ~]#
[root@localhost ~]# ip route add 192.168.1.0/24 dev eth1 table 10
[root@localhost ~]# ip route add default via 192.168.1.254 table 10
[root@localhost ~]#
[root@localhost ~]# ip route show table 10
192.168.1.0/24 dev eth1 scope link
default via 192.168.1.254 dev eth1
[root@localhost ~]#
3, delete the route
can be used to easily remove the command ip route, we use the following example to illustrate how to delete a route. First, the contents of the routing table 10 is displayed., Can be seen in the current routing table 10 there are two routes, then use the ip route del command to delete the default route. In this we do not forget to specify that you want to delete the routing table 10, otherwise the default will delete the default main routing table, and then re-use ip route show command to view the routing table 10. in this case the default route routing table 10 does not exist, use the ip route del command again to remove the 192.168.122.0/24 routing. Finally, you can see the routing table 10 has no routing of.
[root@localhost ~]# ip route show table 10
192.168.1.0/24 dev virbr0 scope link
default via 192.168.1.254 dev eth1
[root@localhost ~]#
[root@localhost ~]# ip route del default table 10
[root@localhost ~]#
[root@localhost ~]# ip route show table 10
192.168.1.0/24 dev virbr0 scope link
[root@localhost ~]#
[root@localhost ~]# ip route del 192.168.1.0/24 table 10
[root@localhost ~]#
[root@localhost ~]# ip route show table 10
[root@localhost ~]#