Ip routes and iptables for GGSN/PGW

From YateBTS
Jump to: navigation, search

In order to seal off subscribers from each other in your network, but also be able to ping/ssh subscribers when administrating the YateUCN locally, the usage of iptables will help.

Depending on the settings of the tunnel, if the PDN tunnel has an explicit gateway (interface defined as x.x.x.x/nn/y.y.y.y) then it's the gateway's job to block access between subscribers.

If no explicit gateway is defined (interface defined as x.x.x.x/nn) you can use something like:

iptables -A FORWARD -i tun-pdn -o tun-pdn -j DROP

You will still be able to ping/ssh/etc from YateUCN as by default the local address selected towards subscribers will be x.x.x.x (owned by the tun-pdn interface itself).

Note that user plane packets will be routed by kernel's "default" table, together with pretty much everything else.

When an explicit gateway is defined we install a policy routing rule separating user plane traffic:

tun_init_external=tun_config.sh "${tunnel}" "1400" ""

# ip rule show
0:      from all lookup local 
150:    from lookup tun-pdn 
32766:  from all lookup main 
32767:  from all lookup default 

# ip route show table tun-pdn
default via y.y.y.y dev enp0s31f6

# ip route show table local
broadcast dev tun-pdn  proto kernel  scope link  src 
local dev tun-pdn  proto kernel  scope host  src 
broadcast dev tun-pdn  proto kernel  scope link  src 

All user packets go to y.y.y.y, the only exception is which is routed by table "local" at highest priority.