IP Routing
When administering most UNIX-like operating systems, you don't need to understand routing. The network administrator gives you the IP address of the default route, you put it in the appropriate configuration file, and everything works like magic. [5] OpenBSD systems frequently tend to be part of the network infrastructure, however, or in demilitarized zones where the system must make routing decisions. You really must understand the basics of routing to administer OpenBSD.
Routing is simply making a decision on where to send a packet. If a computer is directly attached to a network, it doesn't need to make any decisions. Your OpenBSD system on the Ethernet network 192.168.1.0/24 already knows how to reach any IP address beginning with 192.168.1; it sends it out that Ethernet. What about an IP address of 209.69.69.12, however? Where should it send those packets?
Many computers use a default route, where they send all packets bound for IP addresses that they don't know about. This is very common in small office networks, where you have one router or firewall that provides network access for everyone in the office. Small companies frequently have only one network, and don't need complicated routing. The company router itself might have a default route pointing to the Internet service provider, who makes all the actual routing decisions for you.
Routed Internal Network Example
In a more complicated setting, your system will have to make routing decisions. Suppose your network has multiple routers attached to it, each going to a different network. Machines on your network will have to decide where to send packets. Here's an example of a fairly common double-firewall situation.
This sort of firewall setup is used whenever servers need different stages of protection. The 1 external firewall provides the outermost layer of protection. Any traffic coming in through the Internet hits this firewall first, and any traffic leaving the network goes through this firewall last. This firewall probably has fairly liberal traffic-management rules.
The 2 demilitarized zone network is for machines that must be somewhat exposed to the Internet. Perhaps you have intrusion-detection systems here. In many web-farm situations, this is where the actual web servers live. In our example, the DMZ network uses the IP addresses 192.168.0.0/24.
The 3 internal firewall is very tightly secured device. Only the bare minimum permitted traffic may pass through it. This firewall is responsible for securing the most vital information on the network.
The 4 internal network holds the most vital, protected information on the network: financial information, customer databases, or your MP3 collection. In our example, the internal network has the IP addresses 172.16.0.0/24.
Many of the hosts in this network have very simple routing decisions. Anything in the internal network has only one route to reach anything. If the packet is going to an IP address not in the 192.168.1.1/24 network, it must be sent to the 7 default gateway on the internal network.
Similarly, the internal firewall has two networks directly attached. If it wants to send a packet to an IP within 172.16.0.0/24, it sends the packet out the 7 interface directly attached to that network. If it wants to send a packet to an address within the 192.168.0.0/24 range, it sends it to the 6 interface directly attached to that network. If it wants to reach an IP that isn't in those two ranges, it uses the default gateway of 5 192.168.0.1.
The external firewall is directly attached to the 192.168.0.0/24 network, so it can send packets there. It's directly attached to the Internet and can send any packets it doesn't know how to reach otherwise out there. That leaves out the 172.16.0.0/24 network, however. Packets bound for 172.16.0.0/24 should be sent to the 6 internal firewall's external interface. If you don't tell the external firewall this, however, it's not going to happen. As the external firewall is responsible for the internal network's Internet connectivity, the internal firewall not being able to find the internal network would mean that the internal network would be off the Internet; it could send data, but not receive any. The external firewall needs routing.
Similarly, hosts on the DMZ network need to know how to reach the 172.16.0.0/24 network. In theory they could just use the default route of the internal interface of the external firewall, and the external firewall would use ICMP redirects to tell them where to go. This is messy, increases traffic and lag, and is almost impossible to debug without a packet sniffer. It also assumes that all the network equipment and servers accept ICMP redirects and the firewall will pass ICMP redirects. You should use proper routing.
Let's set up routing for the external firewall in our example. Once you can do that, routing on the DMZ network hosts will be almost exactly the same.
Routing Commands
All routing is managed by route(8). Route(8) has several sub-functions that allow you to view, edit, and monitor the system routing table. While route(8) has full details, the ability to view, add, and delete routes should be enough to get you started.
Viewing Routes
Let's start by viewing the table with "route show." As OpenBSD supports both IP version 4 and IP version 6, the routes for both protocols are displayed. While the IPv6 route table is very similar, we're just going to examine the IPv4 table, and only enough of that to give you a good idea how all this works.
# route show Routing tables Internet: 1 Destination 2 Gateway 3 Flags 4 default 5 isp-router.Absolut 6 UG 7 192.168.0.0 link#2 U 8 isp-router.Abso 0:2:16:bf:a1:8c UH ...
Every route table entry has a destination, a gateway, and flags. 1 Destinations can be hosts or networks. The 2 gateway is the place where the system should send the packet to get to that gateway. A gateway can be a host name, a network interface number, or a hardware protocol address. The flags field contains markers that indicate what sort of route this is and how the route behaves. We'll discuss these in the next section, "Route Flags."
The first routing table entry is usually the 4 default route. By default, this system sends all packets to the machine whose host name begins with 5 "isp-router.Absolut." If this is your network and your external firewall, you should know what machine this is! In this case, this is the router where our Internet circuit hooks in, and our default route out of the entire network. This route has the 6 flags "U" and "G."
The 7 second route is for the directly attached network 192.168.0.0. You can tell that it is directly attached by the gateway entry of "link#2". If you look at the "ifconfig -a" output on this system, you'll see that the second real network card is the network with 192.168.0.1/24 assigned to it. The system knows to send requests for those IP addresses out that card.
Our 8 last shown route is for the machine whose name begins with "isp-router.Abso". Here, the routing table shows the physical protocol address for the gateway address. The system knows that the default gateway is this machine, and that the machine has the physical address. "0:2:16:bf:a1:8c". Given this information, it can route packets as it needs to.
Route Flags
The Flags column indicates how the routes in a system were generated or used. You can find a full listing of all route flags in route(4) and related manual pages, but some of the common ones are listed in Table 8-2. You don't need to understand what each of these flags means at this point. Just be familiar with the flags for each route that normally appears on your system, and if something different appears, start digging for more information.
| Flag | Description |
|---|---|
| U | The route is usable |
| G | This route is a gateway |
| S | This route is static (e.g., not added dynamically by a routing protocol) |
| L | This route is a protocol-to-link-address translation (i.e., the MAC address used to reach an IP address) |
| H | This route is for a particular host |
| C | This route is used when you dynamically create new routes (e.g., a gateway) |
| c | This route is used for protocol-specific new routes (e.g., how to reach the gateway) |
| W | This route was cloned from another route |
Adding Routes
Adding routes is very simple with the "route add" command. All you need to know is the network block you want to route, the netmask for that block, and the IP address you want them routed to.
# route add 172.16.1.0 -netmask 255.255.255.0 192.168.1.254 add net 172.16.1.0: gateway 192.168.1.254 #
If you go back and look at your routing table, you'll see that route. Packets will start to flow back to your internal network. Congratulations!
To have this happen automatically at boot, just add the route command to /etc/rc.local.
Deleting Routes
Take a good close look at the route we added in the last example. Our internal network is 172.16.0.0/24, not 172.16.1.0/24. Oops! To delete a route table entry, you just need the network block and the netmask for that block.
# route delete 172.16.1.0 -netmask 255.255.255.0 delete net 172.16.1.0 #
Route(8) has many more useful functions; check the man page for full details.
Now that you understand the bare bones of the theory of networking, in the next chapter we'll see how this works out in practice.
[5]Ignore any rumors about your network administrator occasionally being found in the network room with a knife, a black cockerel, and a bottle of rum. The truth is far stranger than mere magic.
EAN: 2147483647
Pages: 298