Network Segmentation with IP Policy Routing

Back when I had roomates, I came across a networking problem that, at the time, I didn’t know how to solve. I’ve had a VPN set up on my gateway machine for quite some time, and I shared my internet connection with the roomates. The problem was that while the roomies were paying their share of the internet and should have full access to it, they shouldn’t have routed through the VPN interface to IP ranges that I routed through. In terms of the VPN interface, my computers should be treated as trusted, and all others should be considered untrusted, and barred from access.

That’s not really an issue anymore since I live alone now, and my wireless network is protected by X509-authenticated IPSec in addition to 128-bit WEP and MAC address filtering. However, I had some free time tonight, and wanted to see how it’s done nonetheless. First off, here’s the basics of my setup, in reference to the gateway.

eth0:, Wired Trusted
eth1:, Wireless Trusted
eth2:, Untrusted
eth3: Dynamic External interface
ppp0: VPN interface

What I was looking to accomplish is this. Any traffic originating from the networks connected to eth0 or eth1 should be able to route out eth3 or ppp0, with the routing choice made by the routing tables. However, any traffic originating from eth2 should not be allowed to travel out ppp0, and all traffic destined for the outside world should be sent out eth3. My current routing tables have specific subnets sent through ppp0, and the rest heading out ex3 as the default gateway.

I accomplished my solution using the ip command. It allows for very powerful routing configuration. First off, I added the following lines to /etc/iproute2/rt_tables.

200 TrustWired
201 TrustWls
202 UntrustWls

This just provides names that associate with routing table numbers. They’re not necessary, but helpful in keeping tabs on things. Next, I created a routing rule that sends any traffic originating from eth2 to the UntrustWls routing table.

ip rule add from table UntrustWls

After that, I stuck a rule in to set up the default route. I’ll use as my default gateway in the example.

ip route add default via dev eth3 table UntrustWls

I also had to add the following route, because things weren’t working quite right. I think it was because arp traffic wasn’t being sent out properly from the gateway box without this route.

ip route add via dev eth2 table UntrustWls

That’s all! As another supplimental exercise, I figured out how to prevent the untrusted network from sending traffic to the trusted networks using these two rules.

ip route add blackhole table UntrustWls
ip route add blackhole table UntrustWls

My next related project is traffic shaping. While I don’t do a whole lot of downloading/uploading of large amounts of data, it would be really sweet to allow certain types of traffic to take precidence over others. This concept is a little more advanced, and who knows when I’ll get to it. We’ll see I guess.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>