Routing and Firewalls

  1. Network+ Certification
  2. Network+ : From Physical Topologies to Protocols and Domains
  3. Network+ : Networking Variants, Physical Installation
  4. Network+ : TCP/IP and Network Operations
  5. Network+ : Network Naming and Sharing Resources
  6. Network+ : IPv6
  7. Network+ : Remote, Secure and Cross-Platform Networking
  8. Network+ : Servers and Support
  9. Network+ : WiFi
  10. Routing and Firewalls
  11. Network+: Routing Protocols

This has always been a tough area, and it’s getting tougher.

route

Displays the route table. Compare:

netstat -r

If you have two NICs (i.e. you are a multihomed host) you can enable IP forwarding (which is to say, routing). Take a look at the relevant file:

cat /etc/sysctl.conf

For routing to occur you’ll need this line:

net.ipv4.ip_forward = 1

Routing

Hang on to your shorts. If you’re acting as the router between two networks or subnets, you’ll have to have defined routes. You can add routes to your routing table like this:

route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1
or
ip route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1

This says, in effect, “Send any packets bound for the 123.444.444.0 network to the router 123.555.555.1.”

Where this gets (really) complicated is when you have to map to several routers – both directions:

route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1
or
ip route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1

Typically, but not always, routers are given the .1 address (at least in examples). You will see them using .100 or almost any number in real life, within the constraints of the IP protocol.

Delete a route:

route del net 123.555.555.0 mask 255.0.0.0 123.444.444.1

Rebooting? You’ll need to issue these commands again. That’s why they’re commonly contained in a separate script that is called from /etc/rc.d/rc.local, the last file run by the boot process.

 

Troubleshoot your routing

traceroute 123.456.789.10

 

Automating routing

All this is why people make life easier by implementing an automated routing protocol, which updates routing tables on-the-fly.

RIP – Routing Information Protocol

OSPF – Open Shortest Path First

 

Firewall Services

This leads us to the service formerly known as iptables, before that formerly known as ipchains, now called netfilter.

Netfilter, to put it simply, accepts some packets and discards others. It does this by following chains or rules that specify:

An INPUT chain, which determines which packets to accept,

A FORWARD chain, for packets that will be routed through your computer, and

An OUTPUT chain, which filters outbound packets from your computer.

 

To create rules, you use the iptables command:

iptables -F #flush

iptables -P FORWARD DROP #sorry, we’re not routing

iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
#We’ll accept packets from the 192.168.2.0 network

iptables -L #list rules

To add rules permanently (after reboot) add them to /etc/sysconfig/iptables.

Common iptables options
-s <address> Specifies source address of packets
-d <address> Specifies destination address of packets
-p <protocol> Specifies the protocol used under a rule
-j <action> Specifies the action taken under a rule: ACCEPT or DROP.
-L <chain> Lists rules for the chain. With no argument, lists all rules.
-F <chain> Flush existing rules for chain from memory. With no argument, flushes all rules.
-P <policy> Sets the default chain policy for a given type of chain: INPUT, FORWARD or OUTPUT.
-D <number> Deletes a rule by number.
-R <number> Replace a rule by number.