A.1. Procedure – Configuring advanced routing on Linux

Purpose: 

To configure a Linux-based router to redirect selected traffic to PSM instead of its original destination, complete the following steps. This procedure should work on most modern Linux-based routers, including Check Point® firewalls.

Prerequisites: 

The router must have the iptables and ip tools installed.

Steps: 

  1. Create the packet filter rules that will mark the connections to be sent to PSM using the CONNMARK feature of iptables. Mark only those connections that must be redirected to PSM.

    # iptables -t mangle -I PREROUTING -i <interface-facing-the-clients> -p tcp -d <network-of-the-servers> --dport <port-to-access> -j CONNMARK --set-mark 1
    Example A.1. Setting up a connection mark for Linux policy routing

    For example, if the network interface of the router that faces the clients is called eth0, the servers are located in the 10.0.0.0/24 subnet, and the clients access the servers using port 3389 (the default port of the RDP protocol), then this command looks like:

    # iptables -t mangle -I PREROUTING -i eth0 -p tcp -d 10.0.0.0/24 --dport 3389 -j CONNMARK --set-mark 1
  2. Create a rule that redirects the answers of the servers to PSM. That way both the client-to-server and the server-to-client traffic is routed to PSM.

    Note

    This step is only required if you want to use Source NAT (IP Spoofing) instead of PSM’s address towards the monitored servers.

    Figure A.1. Control > Connections — Using SNAT

    Control > Connections — Using SNAT
    # iptables -t mangle -I PREROUTING -i <interface-facing-the-servers> -p tcp -s <network-of-the-servers> --sport <port-to-access> -j CONNMARK --set-mark 1
  3. Convert the CONNMARK marks to MARK:

    # iptables -t mangle -A PREROUTING ! -i <interface-facing-the-scb> -m connmark --mark 1 -j MARK --set-mark 1 
    Warning

    This rule must be placed after the CONNMARK rules.

  4. Add the table name to the /etc/iproute2/rt_tables of the router. Use the following format (for details on routing tables, see for example the Guide to IP Layer Network Administration with Linux):

    103 scb
  5. Create a routing table that has a single entry with a default route to PSM:

    # /sbin/ip route add default via <ip-address-of-PSM> table scb
  6. Create a routing rule that selects the routing table called scb, if the connection is marked.

    # /sbin/ip rule add from all fwmark 1 table scb
  7. If PSM is configured to spoof the IP address of the clients on the server side (that is, the SNAT > Use original IP address of the client option of the connection policies is selected), enable spoofing on the router for the interface connected to PSM.

    # echo 0 > /proc/sys/net/ipv4/conf/<interface-facing-PSM>/rp_filter
    # echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

    Expected result: 

    The traffic from the clients targeting the specified port of the servers is redirected to PSM. Therefore, PSM can be configured to control and audit this traffic.