Checkpoint Splat source based routing

Policy based routing (source based routing):

Note- this should apply to all flavors of Linux


Scenario: The default router is 1.1.1.2 however, a second router (1.1.1.3) should be used for all

traffic from internal network 10.0.0.0/24.


In this example :

fw IP -1.1.1.1.

Router 1- 1.1.1.2

Router2- 1.1.1.3

Internal net-10.0.0.0/24

DMZ net- 192.168.0.0/24

Commands:

View the route table names

cat /etc/iproute2/rt_tables

[Expert@Demo]# cat /etc/iproute2/rt_tables

#

# reserved values

#

#255 local

#254 main

#253 default

#0 unspec

#

# local

#

#1 inr.ruhep

22 Verizon


The number above (22) represents the priority number of that table. Therefore this table will be read before the main table, which is the table that is modified when the "route add" command is used.


Add a link for the second router:

echo "23 adsl" /etc/iproute2/rt_tables


Define the traffic that will use this link:

ip rule add from 10.0.0.0/24 table adsl


Specify the gateway address for this the table:

ip route add default via 1.1.1.3 dev eth0 table adsl


Since the access to the DMZ will not go through router2, add another route for DMZ access

via its interface

ip route 192.168.0.0/24 dev eth0 table adsl


Make these changes active.

ip route flush cache


These changes are not retained after a reboot. Therefore add the following lines

to the rc.local file (/etc/rc.local )


ip rule add from 10.0.0.0/24 table adsl

ip route add default via 1.1.1.3 dev eth0 table adsl

ip route add 192.168.0.0/24 dev eth2 table adsl

ip route flush cache


Alternatively rules can be added that specify a source and destination network.

ip rule add from 10.0.0.0/24 to 209.134.190.0/23 table adsl


Limits:

Linux supports a max of 252 tables

Checkpoint does not support source or policy based routing


Troubleshooting:

netstat -rn does not show source routes.

To view source routes:

cat /etc/iproute2/rt_tables


To view the tables

ip route list table


To view the routes

This command does not take into account whether the gateway is active.

Comments

0 Responses to "Checkpoint Splat source based routing"

Post a Comment

Search This Blog

Blog Archive

Total Pageviews