Checkpoint Splat source based routing

Policy based routing (source based routing):

Note- this should apply to all flavors of Linux

Scenario: The default router is however, a second router ( should be used for all

traffic from internal network

In this example :

fw IP -

Router 1-


Internal net-

DMZ net-


View the route table names

cat /etc/iproute2/rt_tables

[Expert@Demo]# cat /etc/iproute2/rt_tables


# reserved values


#255 local

#254 main

#253 default

#0 unspec


# local


#1 inr.ruhep

22 Verizon

The number above (22) represents the priority number of that table. Therefore this table will be read before the main table, which is the table that is modified when the "route add" command is used.

Add a link for the second router:

echo "23 adsl" /etc/iproute2/rt_tables

Define the traffic that will use this link:

ip rule add from table adsl

Specify the gateway address for this the table:

ip route add default via dev eth0 table adsl

Since the access to the DMZ will not go through router2, add another route for DMZ access

via its interface

ip route dev eth0 table adsl

Make these changes active.

ip route flush cache

These changes are not retained after a reboot. Therefore add the following lines

to the rc.local file (/etc/rc.local )

ip rule add from table adsl

ip route add default via dev eth0 table adsl

ip route add dev eth2 table adsl

ip route flush cache

Alternatively rules can be added that specify a source and destination network.

ip rule add from to table adsl


Linux supports a max of 252 tables

Checkpoint does not support source or policy based routing


netstat -rn does not show source routes.

To view source routes:

cat /etc/iproute2/rt_tables

To view the tables

ip route list table

To view the routes

This command does not take into account whether the gateway is active.


0 Responses to "Checkpoint Splat source based routing"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews