Routing and Firewalls

  1. Network+ Certification
  2. Network+ Certification – Introductions and Resources
  3. Network+ : From Physical Topologies to Media and Network Devices
  4. Network+ : Networking Variants, Physical Installation
  5. Network+ : TCP/IP and Network Operations
  6. Network+ : Network Naming and Sharing Resources
  7. Network+ : IPv6
  8. Network+ : Remote, Secure and Cross-Platform Networking
  9. Network+ : Servers and Support
  10. Network+ : WiFi
  11. Routing and Firewalls
  12. Network+: Routing Protocols
  13. Network+: Network Monitoring

This has always been a tough area, and it’s getting tougher.


Displays the route table. Compare:

netstat -r

If you have two NICs (i.e. you are a multihomed host) you can enable IP forwarding (which is to say, routing). Take a look at the relevant file:

cat /etc/sysctl.conf

For routing to occur you’ll need this line:

net.ipv4.ip_forward = 1


Hang on to your shorts. If you’re acting as the router between two networks or subnets, you’ll have to have defined routes. You can add routes to your routing table like this:

route add net 123.444.444.0 mask 123.555.555.1
ip route add net 123.444.444.0 mask 123.555.555.1

This says, in effect, “Send any packets bound for the 123.444.444.0 network to the router 123.555.555.1.”

Where this gets (really) complicated is when you have to map to several routers – both directions:

route add net 123.555.555.0 mask 123.444.444.1
ip route add net 123.555.555.0 mask 123.444.444.1

Typically, but not always, routers are given the .1 address (at least in examples). You will see them using .100 or almost any number in real life, within the constraints of the IP protocol.

Delete a route:

route del net 123.555.555.0 mask 123.444.444.1

Rebooting? You’ll need to issue these commands again. That’s why they’re commonly contained in a separate script that is called from /etc/rc.d/rc.local, the last file run by the boot process.


Troubleshoot your routing

traceroute 123.456.789.10


Automating routing

All this is why people make life easier by implementing an automated routing protocol, which updates routing tables on-the-fly.

RIP – Routing Information Protocol

OSPF – Open Shortest Path First


Firewall Services

This leads us to the service formerly known as iptables, before that formerly known as ipchains, now called netfilter.

Netfilter, to put it simply, accepts some packets and discards others. It does this by following chains or rules that specify:

An INPUT chain, which determines which packets to accept,

A FORWARD chain, for packets that will be routed through your computer, and

An OUTPUT chain, which filters outbound packets from your computer.


To create rules, you use the iptables command:

iptables -F #flush

iptables -P FORWARD DROP #sorry, we’re not routing

iptables -A FORWARD -s -j ACCEPT
#We’ll accept packets from the network

iptables -L #list rules

To add rules permanently (after reboot) add them to /etc/sysconfig/iptables.

Common iptables options
-s <address> Specifies source address of packets
-d <address> Specifies destination address of packets
-p <protocol> Specifies the protocol used under a rule
-j <action> Specifies the action taken under a rule: ACCEPT or DROP.
-L <chain> Lists rules for the chain. With no argument, lists all rules.
-F <chain> Flush existing rules for chain from memory. With no argument, flushes all rules.
-P <policy> Sets the default chain policy for a given type of chain: INPUT, FORWARD or OUTPUT.
-D <number> Deletes a rule by number.
-R <number> Replace a rule by number.