Hi there, Tomas, Welcome back from your trip away! : the goals i had when beginning with this, for you that have not follow : mine and martins thread, was to : : 1) only let 192.168.1/24 to see all routes, : 2) not route between defined networks, except to and from 192.168.1/24 : 3) not defined networks should only be able to reach 192.168.1/24 : : this might sound simple. it wasnt for me. Policy routing is difficult to describe in any language. And thinking about it isn't that easy either..... : two routing tables, one called "ALL" that, suprisingly, held routes to : all networks defined and a default route to internet. the other called : "main", just for ease, that held one route to 192.168.1/24 and had a : default prohibit. : : the one rule that exists just says "if src == 192.168.1/24 use table : ALL". of course there is an additional rule, the standard one that says : "from all lookup main" with a number of 32766. : : so, for you that doesnt understand my poor english, literally every : network that passes, except from 192.168.1/24, will use the main table : that just holds the route to 192.168.1/24 and the prohibit one. : : this so simple, something just has to be wrong. feel free to englighten : me. What an elegant solution, Tomas! I also could not believe how simple the solution appeared at first, so I wrote it down (my notes are below), and I find this a far simpler solution than anything either of us came up with before. It's neat to see the RPDB harnessed in this way. Congratulations on your elegant solution, -Martin # -- RPDB addition # ip rule add from 192.168.1.0/24 lookup ALL # # -- implicit rule below # # ip rule add prio 32766 from all lookup main # # -- table ALL # ip route add table ALL $NETA via $ROUTERA ip route add table ALL $NETB via $ROUTERB ip route add table ALL $NETC via $ROUTERC ip route add table ALL default via $ROUTERINET # # -- table main # ip route add 192.168.1.0/24 dev eth0 ip route add default prohibit # -- all packets (to be routed) with source address of ANYWHERE # are only allowed to have destinations in 192.168.1.0/24 # -- all packets (to be routed) with source address of 192.168.1.0/24 # are allowed to connect to any network -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
