ip routing in linux
TRANSCRIPT
Agenda•Routing in Linux
IP ForwardingRouting CacheRouting tableRule-Based on Routing
• IP TableFilter TableNAT TableMangle Table
• IP Chain
Routing in Linux
• IP ForwardingIP forwarding also known as Internet routing is a
process used to determine which path a packet or datagram can be sent.
Forwarding is implemented in the Linux Kernel a task of the IP layer routing is handled on higher layers routing protocols build on top of transport-layer protocols.
Routing in Linux(cont.)
• Routing CacheThe routing cache is also known as the forwarding
information base (FIB).The routing cache stores recently used routing entries
in a fast and convenient hash lookup table, and is consulted before the routing tables.
If the kernel finds a matching entry during route cache lookup, it will forward the packet immediately and stop traversing the routing tables.
Routing in Linux(cont.)
• Routing TableRouting Table are represented by rather complex
data structures, which manage entries by using a number of hash tables for different prefix lengths .
Each routing table still operates in the traditional and expected fashion.
Linux simply allows you to choose from a number of routing tables, and to traverse routing tables in a user-definable sequence until a matching route is found.
Routing in Linux(cont.)
• Rule-Based on Routing
Rule-based Routing are set of rules is used to select
which table should be used for what packets Rules a
selector and a type selector chooses .
Routing Rules rule-based routing uses a set of rules to
decide searched for a suitable entry to forward a
packet .
IP Table• IP tables is a user-space application program that
allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
• IP table are contain IP chain and IP chain contain commands.
• IP Tables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
IP Table IP chain Command
IP Table
• IP Table is contain three types.• Three tables each consists of one or more
chains
• Filter Table• NAT Table• Mangle Table
Filter Table
• Consists of three chains• FORWARD
»For packets forwarded from one network interface to another network interface
• INPUT»For packets sent to firewall host
• OUTPUT»For packets sent by firewall host
NAT Table
• NAT – Network Address Translation
• PREROUTING»Destination NAT operations
• POSTROUTING»Source NAT operations
Mangle Table
• Enables the modification of the TOS or the TTL field and used for load balancing when there are multiple firewalls• PREROUTING, OUTPUT chains
»Kernel <= 2.4.17• PREROUTING, INPUT, FOREWARDING,
OUTPUT and POSTROUTING chains»Kernel >= 2.4.18
IP Tables Commands• -A , --append Append rule to chain• -D , --delete Delete rule from chain• -I , --insert Insert rule at beginning or at specified
sequence number in chain.• -R , --replace Replace rule• -F , --flush Flush all rules• -Z , --zero Zero byte counters in all chains• -L , --list List all rules. Add option --line-numbers
for rule number.• -N , --new-chain Create new chain• -X , --delete-chain Delete user defined chain• -P , --policy Set default policy for a chain• -E , --rename-chain Rename a chain
IP Chains
• IP Chains Associated with a specific table• A packet can be diverted to a user chain• The packet is returned to the step after it's
diversion• Linux IP Firewalling Chains, normally called IP
chains, is free software to control the packet filter or firewall capabilities in the 2.2 series of Linux kernels.
IPChains Flow
IP Packet checksum
sanity
DENY
Input
ChainRoute
Decision
Forward
Chain
Output
Chain ACCEPT
Demasquerade
DENY DENYLocal
lo interface
IP Chains Commands• Command Description• -A Add rule to chain• -D Delete rule from chain• -I Insert rule• -R Replace rule• -F Flush all rules• -L List all rules• -N Create new chain• -X Delete user defined chain• -P Set default targe
IP Chains Command• Command Option Description• -s Source address of packet• -d Destination address of packet• -i Interface packet is arriving from• -p Protocol• -j Target to send packet to• -y For -p tcp. Packet is SYN packet.• --icmp-type For -p icmp.• -l Log the packet to syslog.• /var/log/messages Available in Red Hat 6.0+ kernel