From ImageStream Router Documentation
- Policy Routing is used for advanced control over network traffic.
- No additional packages are required for use of Policy Routing
Source IP Configuration
To configure Policy Routing, we will use the sample configuration below. In this example, we will have two ISPs called A and B. Each ISP is routing us a block of IP addresses, and these IP addresses need to leave out their respective ISPs:
! interface Ethernet0 description ISP-A ip address 192.168.5.2 255.255.255.252 ! interface Ethernet1 description ISP-B ip address 172.16.6.2 255.255.255.252 ! interface Ethernet2 description Internal Network #ISP-A Netblock ip address 22.214.171.124 255.255.255.0 #ISP-B Netblock ip address 10.20.30.1 255.255.255.0 !
We will route the 126.96.36.199/24 network through ISP-A and the 10.20.30.0/24 network through ISP-B.
! #Rules for ISP-A ip rule add from 192.168.5.0/30 table 100 ip rule add from 188.8.131.52/24 table 100 ip route add 192.168.5.0/30 dev eth0 table 100 ip route add 184.108.40.206/24 dev eth2 table 100 ip route add default via 192.168.5.1 table 100 #Rules for ISP-B ip rule add from 172.16.6.0/30 table 200 ip rule add from 10.20.30.0/24 table 200 ip route add 172.16.6.0/30 dev eth1 table 200 ip route add 10.20.30.0/24 dev eth2 table 200 ip route add default via 172.16.6.1 table 200 #Router's default route for primary routing table ip route add default via 192.168.5.1 !
In the above configuration, it would not be possible for the two internal networks to communicate. If you want them to be able to route between each other, you'll need to add an interface route to each of the tables. Those rules would look like this:
ip route add 10.20.30.0/24 dev eth2 table 100 ip route add 220.127.116.11/24 dev eth2 table 200
Interface Based Configuration
With the above example, can also specify policy routing based on incoming interface as well.
! ip rule add iif eth0 table 100 ip rule add iif eth1 table 200 !
With the above examples, all the traffic coming in the specified interfaces will use the tables listed. We can write rules in these tables to choose where the traffic will be routed to.
Iptables Fwmark Based Configuration
The Iptables configuration allows greater flexibility in directing traffic into a routing table. Any iptables match can be used to mark packets with an iptables fwmark. Once a packet is marked with a fwmark it can be directed to any routing table with a ip rule.
The major disadvantage of this method is that it requires an iptables rule(located under the firewall configuration) and an "ip rule" in the network interface configuration. In the following example use an iptables rule to match all tcp port 80 traffic and then route it using an example routing table.
Note, while it's possible use iptables to fwmark packets in the FORWARD and OUTPUT chains, if you wish to use fwmark to select a routing table you will need to mark the packets in the PREROUTING chain.
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 0x01
Network Interface configuration
The network interface configuration example below
! # Match fwmark 0x01 and us routing table 100 for these packets ip rule add fwmark 0x01 table 100 # Set a default route via Serial0 in table 100 ip route add default dev Serial0 table 100 ! # Normal default route ip route add default via 18.104.22.168 dev eth0 !