Professional Documents
Culture Documents
Two Default Routes: 1. Installation
Two Default Routes: 1. Installation
This will create the /etc/iproute2/ directory. It also installs some new
executables, including ip.
From a command line on any Linux system, you can see the existing routing table
by simply typing route at the prompt (or /sbin/route if /sbin is not in your
path). Your routing table will be similar to this:
Internet is added and both are accessed, you can end up with a situation referred to
as (hot) potato routing, or deflection routing.
Normally, when a packet, such as an ICMP ping, arrives at the primary interface, it
is examined by the host, after which a reply packet is generated, the routing table is
consulted and the packet it sent back via the default route. On the other hand, if a
ping packet arrives at the secondary WAN interface, the same thing happens: it is
examined by the host, a reply packet is generated, the routing table is consulted and
the packet it sent back via the default route. In other words: a packet is received on
one interface and the reply is sent back via the other.
In theory such packets can be routed, but are dropped by ISPs. That's because these
packets have a source address that is not part of the network that they are being
routed from -- they look like they've been forged. Indeed, such forged packet
headers are often used in DOS attacks.
However, if you have more than one connection to the Internet and you want to use
them all despite the fact that you have only one default route, what can you do? The
answer is advanced routing.
With advanced routing, you can have as many routing tables as you want. In the
example below, we add just one for an extra DSL line from an ISP called
"cheapskate."
First add a name for the new routing table to the /etc/iproute2/rt_tables
file. This can be appended to it with the command echo 2 cheapskate >>
/etc/iproute2/rt_tables. The result looks like this:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
2 cheapskate
Above I mentioned that the command ip route is actually a shortcut for the
longer command ip route show table main. Since there is no shortcut to list
the new routing table, you have no choice but to use the long form: ip route
show table cheapskate. Entering this command now will reveal that this new
table is still empty.
All that is necessary is to add the new default route to the cheapskate table -- the
old main table will continue to handle the rest. The reason for this will soon
www.rjsystems.nl/en/2100-adv-routing.php 2/7
4/23/2019 Two default routes
As follows, add the new default route to table cheapskate and then display it:
As you can see, the entire table consists of a single line. However, it is not yet
being used. To implement it, the command, ip rule is required. Routing tables
determine packet destinations, but now we need the kernel to use different routing
tables depending on their source addresses. The existing set of ip rules is very
simple:
~# ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
~# _
This command adds a rule for when a packet has a from pattern of 192.168.2.10 in
which case the routing table cheapskate should be used with a priority level of
1000. In this example the pattern only needs to match one address, but you can set
patterns in a Linux router to match different sets of addresses.
~# ip rule
0: from all lookup local
1000: from 192.168.2.10 lookup cheapskate
32766: from all lookup main
32767: from all lookup default
~# _
The kernel searches the list of ip rules starting with the lowest priority number,
processing each routing table until the packet has been routed successfully.
The default ruleset always has a local table with a match pattern of all. The local
table (priority 0) handles traffic that is supposed to stay on the localhost, as well as
broadcast traffic.
After the local rule comes our new rule with a priority of 1000. This priority
number is arbitrary, but makes it easy to add other rules before and after it later on.
www.rjsystems.nl/en/2100-adv-routing.php 3/7
4/23/2019 Two default routes
Our new rule comes before the main table, which is the one that is modified by the
old route command. The last rule is for the default table. I'm not certain what it's
for, as I've always found it to be empty, and seeing as there is a default route in the
table main, no traffic ever gets to the table default.
** Warning **
When working with more than one routing table, never forget to add the table part
of the command. If you do forget, rule changes in the wrong table (main) can seem
awfully mysterious. When learning the ropes and working remotely, you will
probably lock yourself out a few times this way: the changes happen very quickly,
so it may be wise to use a console instead.
Another important point to remember is that routes are cached. In other words, if
you update a routing table and nothing seems to happen, it's because the table is
still in memory. The solution is simply to flush the cache with ip route flush
table cache. In this manner it is possible to first make a number of changes and
then flush the cache so that all of the changes will be implemented simultaneously.
This is actually convenient when working on an active router.
5. Example configuration
First, some background information. The client's router had the following
interfaces:
www.rjsystems.nl/en/2100-adv-routing.php 4/7
4/23/2019 Two default routes
- lo Loopback interface.
inet addr: 127.0.0.1
Mask: 255.0.0.0
The route for 62.58.232.0/21 via ppp0 may be unnecessary, but I figured it would
be 'cheaper' because the IP address for ppp0 is part of the same network. The route
to 62.58.50.0/25 via the ppp0, on the other hand, is a network segment that includes
an SMTP relay that is not be available via any other route.
The main routing table displayed with ip route show table main:
The idea was to create a second routing table for the second Internet connection
(ppp0) with its own default route. This can be done in only three steps. First, after
www.rjsystems.nl/en/2100-adv-routing.php 5/7
4/23/2019 Two default routes
installing the necessary software (see above), I created a second routing table (after
the existing main routing table) called 'zonnet':
Second, I added a default route to the zonnet routing table using the ppp0 interface
and its IP address:
Third, I added a new rule to the kernel that tell it to use the new routing table when
packets (connections) originate from the second interface:
Thus, the new zonnet routing table looks like this (just one line):
~# ip rule
0: from all lookup local
1000: from 62.58.236.234 lookup zonnet
32766: from all lookup main
32767: from all lookup default
~# _
So far, the result of all this is that all requests destined for the firewall coming in
from eth0 are sent back out eth0 (the main default gateway; 87.215.195.177), while
requests destined for the firewall coming in from ppp0 are sent back out ppp0 (the
secondary default gateway; 62.58.236.234). However, if the server responds to any
requests that are forwarded to it, those responses will still be routed out the main
default gateway regardless.
The first step towards a solution was to define a second network, 192.168.15.0/24,
on the UTP segment that the server is attached to. Luckily, Windows server 2003
allows you to bind additional IP addresses to its interfaces. In this case, only the
server and the firewall (via eth1) have addresses on this network.
www.rjsystems.nl/en/2100-adv-routing.php 6/7
4/23/2019 Two default routes
Second, since all of the packets moving from 192.168/.15.0/24 into the firewall are
responses to requests that arrive via the secondary Internet connection (and should
be sent back that way) anyway, I could use this one routing rule:
~# ip rule
0: from all lookup local
990: from 192.168.15.0/24 lookup zonnet
1000: from 62.58.236.234 lookup zonnet
32766: from all lookup main
32767: from all lookup default
~# _
Now if a request is sent in via ppp0 and forwarded on to the server (via
192.168.15.0/24), its response will also be sent back via ppp0.
www.rjsystems.nl/en/2100-adv-routing.php 7/7