Unit 13
From the Linux+ Training Course.
This has always been a tough area, and it’s getting tougher.
route
Displays the route table. Compare:
netstat -r
If you have two NICs (i.e. you are a multihomed host) you can enable IP forwarding (which is to say, routing). Take a look at the relevant file:
cat /etc/sysctl.conf
For routing to occur you’ll need this line:
net.ipv4.ip_forward = 1
Hang on to your shorts. If you’re acting as the router between two networks or subnets, you’ll have to have defined routes. You can add routes to your routing table like this:
route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1
or
ip route add net 123.444.444.0 mask 255.0.0.0 123.555.555.1
This says, in effect, “Send any packets bound for the 123.444.444.0 network to the router 123.555.555.1.”
Where this gets (really) complicated is when you have to map to several routers – both directions:
route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1
or
ip route add net 123.555.555.0 mask 255.0.0.0 123.444.444.1
Typically, but not always, routers are given the .1 address (at least in examples). You will see them using .100 or almost any number in real life, within the constraints of the IP protocol.
Delete a route:
route del net 123.555.555.0 mask 255.0.0.0 123.444.444.1
Rebooting? You’ll need to issue these commands again. That’s why they’re commonly contained in a separate script that is called from /etc/rc.d/rc.local, the last file run by the boot process.
traceroute 123.456.789.10
All this is why people make life easier by implementing an automated routing protocol, which updates routing tables on-the-fly.
RIP – Routing Information Protocol
OSPF – Open Shortest Path First
This leads us to the service formerly known as iptables, before that formerly known as ipchains, now called netfilter.
Netfilter, to put it simply, accepts some packets and discards others. It does this by following chains or rules that specify:
An INPUT chain, which determines which packets to accept,
A FORWARD chain, for packets that will be routed through your computer, and
An OUTPUT chain, which filters outbound packets from your computer.
iptables -F #flush
iptables -P FORWARD DROP #sorry, we’re not routing
iptables -A FORWARD -s 192.168.2.0/24 -j ACCEPT
#We’ll accept packets from the 192.168.2.0 networkiptables -L #list rules
To add rules permanently (after reboot) add them to /etc/sysconfig/iptables.
Common iptables options | |
Option | Purpose |
-s <address> | Specifies source address of packets |
-d <address> | Specifies destination address of packets |
-p <protocol> | Specifies the protocol used under a rule |
-j <action> | Specifies the action taken under a rule: ACCEPT or DROP. |
-L <chain> | Lists rules for the chain. With no argument, lists all rules. |
-F <chain> | Flush existing rules for chain from memory. With no argument, flushes all rules. |
-P <policy> | Sets the default chain policy for a given type of chain: INPUT, FORWARD or OUTPUT. |
-D <number> | Deletes a rule by number. |
-R <number> | Replace a rule by number. |