Slashdot Mirror
Policy-Based Routing Using Software Firewalls?
Bios_Hakr asks: "My local computer group meets for monthly LAN parties. The location that hosts the parties also has a small internet cafe. After the cafe closes, they allow us to connect to their T-1 line. They supply us with a single IP address which we NAT/(PAT?) via a Linksys DSL router. We also have a second T-1 supplied by one of the more gracious members of our group. He agreed to supply this T-1 after experiencing abysmal ping rates with 30 people sharing the bandwidth. Herein lies the quandry: How can we implement Policy-Based routing for our LAN? I'd like all HTTP and FTP to be directed out one line while popular gaming ports are directed over the second line. All file-sharing traffic should be killed. I know how to do this via Cisco IOS and policy-route-mapping, but I'm at a loss when it comes to doing it via software firewall solutions. We have several Linux-familiar people in the group and lots of Windows geeks; but the solution should be simple and require zero brainpower to set up after the initial implementation. How would you split your LAN traffic across two T-1 lines?"
shorewall firewall can handle DNAT requests, as for packet shaping, there are several solutions out there. a friend of mine runs a router like this: Red Hat 8 Shorewall traffic shaping routing a T1 and wireless T1 equiv. to a single lan. it requires a bit of thought, but you can setup the router to forward everything below port 1024 requests out connection A and everything above out connection B (that keeps the web/ftp/pop/ssh/telnet stuff on one line, games on the other, though you might want to route some of the less popular/bandwidth intensive stuff (RTS's for example) out A as well. btw: this pal of mine runs the local LAN/computer group around these parts, i'll alert him to this thread, who knows, you may get some help.
Logistical Chaos Officer http://www.slagg.org - LAN Gaming in Sarasota FL,USA
Please visit http://linux-ip.net and more specifically for your problem: http://linux-ip.net/html/ch-advanced-routing.html
That should get you started. It's be no means simple, but my understanding is that once you get it up, it works.
-jay
Linux can handle this with little problems these days. Its a little technical, but you can basically do it with a combination of:
iproute2
iptables & Patch-o-matic
netfilter CONNMARK extension
You have the matching power of iptables to implement any sort of policy routing that you could ever dream of!
Bye!
OpenBSD comes out of the box with a great firewall (that will also handle your NAT). The firewall can easily handle packet queueing and prioritization. Tell the firewall how much bandwidth you have to work with, set your host up with priority over your traffic, even break it down by protocol if you want.
Basically, you'd be looking at doing the following things. Multiple outbound providers, which will need another routing table built for the second link. Then you'll need to dive into QoS to split up your traffic into your definitions of bulk (HTTP, FTP), priority (Gaming), and drop (P2P). I notice that you have no default set up, but I leave that up to you. Finally, you can use iptables to mark and NAT your traffic out the right interface.
Under Windows, you would need some advanced routing software I think. ISA may do it, but I doubt your budget allows it. By default, Windows does have the ability to enforce QoS terms, but you'd need something to apply those QoS marks (I doubt that games commonly mark their packets with ToS)...which means a bridge in front of the Windows router. Might as well use a Linux router instead.
If anybody knows of a way to get a Windows box to route based on ports, I'd love to hear it.
Oh, and a simple solution for the exact problem you describe (which I don't think is what you really want) would be a proxy for the HTTP and FTP link, and a router for the other link. All HTTP and FTP requests would be sent out the proxy, everything else would go the default route (to the router) which could be configured to drop P2P and route everything else. Optionally, you could do QoS on the router to prioritize certain traffic. If you go that route, I'm fond of AnalogX Proxy (for Windows) because it's free and simple. Of course, that does require client configuration....unless you use Transparent Proxying.
There are a bunch of areas in Linux that can help you. Only some of them are routing based.
The first thing I would try would be to setup one of your lines with 'tc' and bandwidth shape the line with CBQ and SFQ. CBQ will let you set the outbound "rate" for the line, and SFQ will enforce "fairness" between different "connections". This should keep ftp uploads from swamping upstream traffic and pushing your ping times thru the sky. You can do some similar things with 'tc' ingress policies to shape the incoming traffic, but this is less effective.
If you still want to try two lines, here is the basic setup.
You need a Linux box that has three network interfaces. One for each of your T-1s, and one for your local LAN. The Linux box's IP address is the default gateway for everyone on your local LAN.
You setup a firewall on the Linux box with something like:
LAN on eth0
T1 on eth1
T1 on eth2
iptables -i eth0 --dport 80 --state NEW,ESTABLISHED --set-mark 1
iptables -t nat -o eth1 -j MASQUERADE
iptables -t nat -o eth2 -j MASQUERADE
ip ru add fwmark 1 table 10
ip route add default via IP_ADDRESS_OF_T1#1 dev eth1
ip route add default via IP_ADDRESS_OF_T1#2 dev eth2 table 10
This is far from complete (and I haven't tested it), but it should set "fwmark" to 1 for HTTP traffic. The router table should then take traffic with FWMARK set to 1 and use routing table 10 instead of the default table, which can have a different default route. In that both eth1 and eth2 are MASQed, both will NAT.
You will need a lot more here to be fully functional. You need to completely filter the traffic you don't want, and probably classify a bunch more stuff along the way.
Good luck.
See:
/etc/iproute2/rt_realms)
http://hibernia.jakma.org/~paul/rc.iprules
For a script that does something similar to what you want, policy routing to route based on source IP. It should be easy enough to add an additional 'firewall mark' field to the table and policy route based on that (i'm on holiday, otherwise i might have done that for you). The listed "intranets" will use the main table.
Basically, all you need is:
1. create a table for each policy (edit
2. use iptables to add arbitrary 'fwmarks' to incoming packets based on whatever criteria you have
3. use the 'ip rule' command to direct routing for packets with specific fwmarks to specific routing tables.
4. direct other traffic to the default 'main' table.
Finally, see the Linux Advanced Routing & Traffic Control site for further information.
I use Friend/Foe + mod-point modifiers as a karma/reputation system.
Time to let your fingers do the walking...
Linux Advanced Routing and Traffic Control
I know this stuff is dense, but I happen to think it's stuff that any serious Linux admin should know about eventually, so I spread the word. If you want some pointers on where to start, send me an IM. I'll be at work all day today more-or-less.
"The Devil does not know a lot because He's the Devil, He knows a lot because he's old." -- unknown
GNU Zebra is a cisco IOS clone for linux. i think its what you're looking for.
Somewhere on this page I have hidden my signature.