Linux ip policy routing

The linux routing system has been redesigned entirely, the classical routing system still works based kernel routing decisions based on destination. The new routing system can match packets to do something with them; the classical routing would look too complex if you'd need to do routing decisions to a lot of networks. Consider this simple scenario:

 You have a virtual machine running on your laptop and you're behind a firewall, your laptop is allowed to browse the internet. You can have a virtual machine using a "natted" ip to talk to the internet, but what if you need to have 2 connections: a local one where you can forward X11 connections to your VM, etc and other one which needs to be able to talk to the internet. With classical routing you could have something like:



 Let's say your internal network is 10.0.0.0/8


 route add -net 10.0.0.0 netmask gw 10.10.1.1 255.0.0.0 eth0
and then all outbound connections needing to talk to the internet

route add -host <ip> gw 192.168.33.2 eth1 

 and you could have all the internet hosts you need to access. It would be too complex, here is when we can use the ip policy routing 

 1) we create 2 tables with arbitrary numbers 

 as root echo "40 lan" >> /etc/iproute2/rt_rables 
echo "50 internet" >> /etc/iproute2/rt_rables 


2) we now need to define our tables with the needed routes 


ip route add 10.0.0.0/8 via 10.10.10.1 dev eth0 table lan 
ip route add default via 192.168.33.2 dev eth1 table internet 

 we are adding the routing information to the tables but we have not enabling the routing at the kernel level yet.

3)  we now add the rules 
 ip rule add to 10.0.0.0/8 priority 50 table lan 
 if we do an ip rule show: 
#ip rule show 
 0: from all lookup local 
50: from all to 10.0.0.0/8 lookup francisco_lan 
 32764: from 127.0.0.1 
32766: from all lookup main 
 32767: from all lookup default 


 The lowest number 0 is the highest priority all traffic is initiated from local host the next number 50 all local network should be routed thru 10.10.10.1 

4)  We now populate our next table called internet 
#ip route add default via 192.168.33.2 dev eth1 table internet 
 everything is going to be routed , now you may ask even our local network? That's why we have the priority ip rule add priority 51 table internet
# ip rule show 
 0: from all lookup local
50: from all to 10.0.0.0/8 lookup francisco_lan
51: from all lookup francisco_internet
32764: from 127.0.0.1 lookup francisco_lan
32765: from 10.106.7.70 lookup francisco_lan
32766: from all lookup main
32767: from all lookup default

We assign a higher number (lower priority) so if we ssh into the local lan kernel is going to check the 1st rule, and it is going to route packets thru interface eth0 when we want to talk to the internet it checks the first rule, so www.google.com for example is not in our lan so it is going to check the next one (priority 51) it will go thru our internal virtual machine default router 192.168.33.2 ip rule can be used for many things but these 2 simple rules can make things easier