Girish Venkatachalam is a UNIX hacker with more than a decade of
networking and crypto programming experience.
His hobbies include yoga,cycling, cooking and he runs his own
business. Details here:
We are going to look at how you can setup your home or office Linux box to do simple packet forwarding with static routes. Most routers on the Internet do not run any routing daemon. They have a bunch of static routes and even in the case of big routers, the default route takes most of the traffic load. A core IP router not only runs BGP but it is also free from default routes. Such routers are very rare on the Internet.
I named this article as networking 101 instead of routing since most of the concepts are concerned with basic TCP/IP networking. First of all certain basics.
a) Every IP address has a network portion and a host portion and the network portion always starts at the left end (prefix) and the host portion starts at the right end (suffix). This has nothing to do with little endian or big endian arithmetic. ( Hope this does not confuse)
For instance, in 192.168.1.5 , the network portion starts with 192... and the host portion starts with 5 backwards. And you should learn to use subnet masks well. According to RFC1918, private addresses in the range 192.168/16 can be used for private networks. Also 10/8 and 172.16/12.
This means a subnet mask with the first 16 bits set to 1. Subnet mask is nothing but a special form of IP address in which the bits that are set to 1 indicate the network portion of IPs in that network.
I shall try to give as many examples as possible to illustrate the concepts. Perhaps it will help you a bit.
So in this case, 192.168.0.0/16 or 192.168/16 means every IP address in that network has the network portion constant: the prefix of every IP will be 192.168. All IPs will have the form 192.168.x.x where x stands for any integer between 1 and 254. And the suffix stands for the host portion.
The IP address dished out by most DHCP servers behind NAT dole out IP addresses in the 192.168.1/24 range.
It is really easy to construct a subnet mask with this convention. What is the IP address mask with the first 16 bits set to it?
Obviously it is 255.255.0.0. What is the mask for /24 networks? It is 255.255.255.0.
But things get complicated when the masks cross the IP address byte boundaries. But the underlying concept is the same. For instance, a mask of 255.255.255.240 has a network portion of /28.
If you have trouble figuring this out, just type out the BCD hex representation. For instance in my favourite pdksh shell, I type
$ printf "%0x\n" 240 f0
So the first 4 bits of the 8 bits are set to 1. This network can have a maximum of 2^4 or 16 hosts. Of course you have to give allowance to broadcast addresses but we are discussing basics now. Let us ignore that for the moment.
Now you have a grasp on how to interpret IP addresses and the network they reside in with the help of subnet mask. Subnet masks are usually represented in the 255.... form but it helps to think in the other form I used above /bits. Onto the second important concept now.
b) Gateways are required only for conveying packets between networks. It is never used for "routing" packets within a network. So for instance in a 192.168/16 or 192.168.1/24 network, there would be no need for a gateway to reach any host/router within 192.168 or 192.168.1 network.
It is meaningless to configure a route/gateway for reaching any host within the network portion of the IP address. A good rule of the thumb is this. Any IP address with the network portion same : i.e, 192.168 in the first case and 192.168.1 in the second case does not need any explicit route.
The moment you configure an interface for instance,
# ifconfig eth0 192.168.1.5 netmask 255.255.255.0
the kernel figures out that a routing table entry for this network has to have the form
# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
Can you interpret this line? It says that for all destinations in the network range 192.168.1/24, the default gateway is 0.0.0.0. Which is to say that no gateway is required. Let me give you a very simple and interesting analogy.
For going to Bangalore or Kashmir you do not need a visa or passport. Since they belong to India. Gateways are the people at the boundary of a region to help you cross network boundaries.
The main point that many people miss is this. You do not have to specify any route manually for this. It is obvious to the kernel. If you configure an IP with a subnet mask, all hosts in that network automatically become reachable and you can ping them. If you cannot ping them, something is wrong somewhere.
You can ping? Good. Now let us move on to the next topic.
c) Adding gateways for hosts and networks
You can add entries to the kernel routing table in two ways. You can add host specific routes or network specific routes. And then you have a default route. It is like a fallback. Almost like the error condition in a C program. If nothing else works, take this route. Hence it is called "default".
You can inspect the default route entry very easily. Train yourself to identify the same since you will be seeing it often.
Default route line : 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
This seemingly innocent line does all the work for you. It says that for a wildcard destination of 0.0.0.0, the gateway is 192.168.1.1.
The way to interpret routing tables is this. Ask this question: Which is the destination host/network?
The first field of the netstat -nr output on linux boxen. Which is the gateway to reach that host/network?
The answer lies in the second field. Then you should ask: Can I reach the gateway directly? I can only use IPs that are directly reachable from my machine as gateways.
Now I got this from my home BSNL network and 192.168.1.1 is the IP address of the BSNL modem. On the public interface of the modem, the phone line has a PPPoE/PPPoA allocated public IP. So the modem simply acts as a two port router which dumbly ferries packets both ways.
Now, I want you to focus on a key concept. All the entries configured as "gateways" in the kernel routing table have to be directly connected. What does this mean?
You should be able to ping them without adding any route. Which is to say that the moment you assign an IP address to an interface or an alias, the kernel automatically adds the routing entry for all hosts on its network. You can only add a particular host on this network range as gateways.
It is impossible to use as a gateway a host which is not accessible without adding a route. This is like the proverbial chicken and egg problem. So this will not work. All gateways have to be reachable without a specific routing entry. Now, let us see how to add a host specific route. Usually host specific routes will not be needed but sometimes this facility comes in handy.
# route add -host 10.1.1.5 gw 192.168.1.1 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.1.5 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1
Simple eh? Yes indeed. You can quickly spot a host specific route with the subnet mask "Genmask" field. It will be all 1s.
This is the case for all point to point links like PPP over dialup links. To add a network specific route, it is again simple.
# route add -net 10.1.1.0/24 gw 192.168.1.1 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.1.1.0 192.168.1.1 255.255.255.0 UG 0 0 0 eth1
I have snipped out the relevant entry for you. You could also use the subnet mask method if you prefer for the route add command.
d) Subnets and physical interconnectivity
A router is any device with more than one interface on which you are running the IP protocol ( don't get academic on this). For all practical purpose Internet has only IP today. This interface could be a physical link like an ethernet interface, a USB NIC, a Wifi interface, a bluetooth dongle or a serial port running PPP.
Please don't get confused with the details. Break the problem down into its logical equivalent. An interface has an IP address. Every IP address has a subnet mask. So every IP address needs a network portion and a host portion.
So now, a device with multiple physical interfaces running IP will obviously belong to multiple subnets.
Reason is simple. It is stupid to have two interfaces have the same network address/subnet mask. Why would you do that? You can eminently use aliases for adding as many IP addresses in as many network ranges you want on a single physical interface.
The basic purpose of having multiple interfaces is to route packets between networks. So obviously they should belong to multiple networks.
And there is a very good correspondence between the physical interconnectivity and the IP address allocation.
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
More Articles by Girish Venkatachalam © 2009-11-07 Girish Venkatachalam
Several people have told me that my inability to suffer fools gladly is one of my main weaknesses. ((Edsger W. Dijkstra)