Feb 2, 2010

Using Route Tables on Windows

I refer back to back to this article quite often so I thought it would be nice to post it here. It is written so that just about anyone can understand route tables.

Using Route Tables on Windows NT, 2000, and XP

Have you ever had a computer that didn't need to, or more over shouldn't talk to any other computer off campus? Well route rules are a way to accomplish this. Route rules are a common way of only allowing a computer to talk to certain known other hosts. Technically, route rules are a way of controlling your computers ability to talk to other computers outside of it's subnet (we'll get into that more later).

About Route Rules:

The internet is a big place. Most users of the internet (at least in work settings) do not access the. entire internet (say a site in Iceland or Botswana). This holds particularly true for servers, application workstation, and purpose built computers. These types of computers may access only campus, only your department, or only a few users. More importantly, there are no valid reasons that someone from outside the userbase should access them. These are the perfect systems for route rules. There are 4,294,967,296 IP addresses (and thus other possible computers) in the world, and if you only have 10 people that need to access your server you may as well keep the rest out.

For the purpose of this article we will address route rules as they pertain to Windows NT, Windows 2000, and Windows XP (Many other OS's support these in various forms). We will also assume that you have some understanding of how IP addresses, subnets and gateways work.

Route rules are often used for the following reasons 
  • They are fairly simple to use if you understand how IP addresses work
  • They are quickly configurable and take effect immediately
  • They can allow you finer control over what other computers can access yours
  • They are commonly used in a "defense in depth" model as a final way of saying "none shall pass other than..."
  • They are similar to those used on Unix and Linux boxes so are pretty well understood and familiar to some
This can be a bit complicated as one needs to understand the basics of how IP addresses work. The basic principle is that you define each computer, or group of computers that you want your computer to be able to communicate with. Always keep in mind when using route rules that your computer will not be able to talk to anything that you haven't made a route rule for. So be sure to remember to add a route rule for things like the Microsoft Update Server or you won't be able to get patches.

In order to make "Static" route rules on your computer (i.e. ones that you set), you must first remove the "default gateway" from your network configuration tab. Remember what your gateway is for you will need it later when you add routes. The default gateway on a computer is used to allow it to talk to other computers off it's subnet. By default a windows computer has a route to every host in the world, which is great if you want to browse the web, and terrible if you want to keep out hackers and worms. Simply open your TCP/IP settings windows and remove everything from the gateway box.

Once you have removed your gateway (also known as the "default route") you will not be able to access anything that isn't on your subnet. Your subnet is the computers with an IP in the same range as yours. For example, 129.237.100.1 and 129.237.100.24 share the same IP Octets all the way down to their last octect (everything after the last dot), thus they are very likely on the same subnetwork.

This is important to know in that even once you have removed the default route (in this case your gateway from the TCP/IP settings menu), your computer will still be able to talk to everyone on your subnet. This is becase of a network technology called ARP.. which is a bit more than we'll cover here. Just know that you do not need a gateway to talk to those computers "near you" on the network (for instance those in your building or on the same floor as you) and thus route rules can't add or deny them access to your computer, they are simple talk (with or without a route)

Now that you have removed your gateway you can begin to add back routes to other computers (or groups of computers as you'll soon see). You do this by using the "route add" command.

route add -p 129.237.37.60 MASK 255.255.255.255 129.237.100.254

Lets pick appart the command above. The first part "route add" tells the route command that you want to add a route. The "-p" option tells route that you want it to be persistant. Persistant routes are written to the registry and thus will remain in place after a reboot (or anything else that turns off your network card). This is important because non-persistant routes will be removed at reboot. The next part of the command "129.237.37.60" is the IP address you would like to be able your computer to be able to talk to. In this case it is the IP address of the Windows Update Server we have here on campus (got to have those patches). The next part is a bit tricky, it is the MASK. A MASK is used, along with the IP address you specified in the first part, to make the rule. This is because a route rule can be used to add MANY computers, or just one. Basically, by saying "MASK 255.255.255.255" we have specified that we only want our computer to be able to talk to this one host. The final part of the rule is the gateway. This should be the same number that we removed from the TCP/IP menu. The gateway is the IP address of a device on the network that your computer talks to in order to find it's way to other computers. Think of it as the old style Telephone Operator sitting at a switchboard, without it, you can't talk to anyone too far away.

So in summary, we have told our computer that we want to add a persistant route, to 129.237.37.60 only and we told it to use the gateway in order to get there. Another rule that many people use is to group computers together and add them all at once.

route add -p 129.237.35.0 MASK 255.255.255.0 129.237.100.254

This rule is much like the first, except you'll notice that the IP address and MASK end in zeros. We have told our computer that we would like to add ALL computers in 129.237.35.x to our route list (and thus allowing communication with our computer). This is very handy and why the MASK portion of the command is so important. It says..

129.237.35.0

255.255.255.0

Only.Only.Only.Any

In other words, only allow computers that are in 129, AND only allow computers that are also in .237 AND only allow computers that are in .35, and allow ANY computer that meets all those criteria

Arguments & Examples:

route PRINT

Used to display a list of current routes. This is handy if you would like to debug a rule or to print out rules for documentation (used with a common pipe)  

route ADD 129.237.0.0 MASK 255.255.0.0 129.237.100.254 destination^ ^mask ^gateway

Adds a route, this is where the real power comes in. For instance, this rule allows only hosts on campus to see or talk to your computer (you computer also can't see anything off the campus network)

route PRINT 129.237.*

Only prints out the rules that match argument (in this case all on campus routes)

route CHANGE 129.237.39.200 MASK 255.255.255.255 129.237.100.254

Used to change an existing route rule

route DELETE 129.237.39.200

Removes the route defined to this host