--- title: Lab Meeting Minutes 2022/10/18 tags: lab_meeting --- > Outline > [TOC] --- # PERAL Lab Meeting - 時間:111 年 10 月 18 日 08:00 - 地點:科三 321 - 線上會議連結 : [Online](https://meet.google.com/bys-eczx-qcq) - 出席者:吳坤熹老師、謝萬霖、吳騰然、劉怡君、田蕙瑜、洪胤勛、丘世宇、莊才賢、紀見如、劉冠伶、林大智、繆亭霄 - 會議主題:[iptables(2)](https://docs.google.com/presentation/d/1DLZWfp30eLn-zUXdNcmmagMh5gMnEFcsJwpskqNOqTs/edit?fbclid=IwAR2fjVZMHOUMVQjcSi0EkmsJd-O7pA1ibcNgDfxSr-BsfjoASHumWwa-H4M#slide=id.p) - 主講者: 莊才賢 - 主記: 田蕙瑜 ## 會議內容 - Review - p.17 the stucture of the iptables command ### iptable 指令架構 - iptable -t nat -A output ! -d 127.0.0.0/24 -m addrtype --dst LOCAL -j DOCKER - iptables 指令定義的是一條在 table 內的 rule - 架構 - table: 要放到哪個 table - chain: 封包的到達的時間點 - match: match 的條件 - module: 使用哪些 iptables modules - target: 支援的行為或是跳到其他 chain - ACCPT, DROP, REJECT, RETURN, LOG… ### ip 封包流動 (到 local host) ![](https://i.imgur.com/t5fcBZL.png) ### SNAT, DNAT, MASQUERADE - SNAT(source NAT) - 行為就像平時常見的分享器,修改 IP header 的 source IP - 透過 iptatbles 的 nat table 的 postrouting chain 處理 - DNAT(destination NAT) - 行為就像是 load balancer,修改 IP header 的 destination IP - 透過 iptatbles 的 nat table 的 pretrouting chain 處理 - MASQUERADE - 像是 SNAT,但是不用指定 source IP address pool,由演算法自行分配 - 透過 iptatbles 的 nat table 的 postrouting chain 處理 ### SNAT, MASQUERADE implement - SNAT ![](https://i.imgur.com/2JPR67T.png) ### DNAT implement ![](https://i.imgur.com/E2qPVlG.png) ### iptables 封包流動(forwad packet) ![](https://i.imgur.com/afH7UPq.png) ### iptables 封包流動(user 透過 default gateway 存取外部資源) ![](https://i.imgur.com/jnXb9bm.png) ### SNAT, MASQUERADE - 開啟 kernel 轉送封包的功能 - `echo "1" > /proc/sys/net/ipv4/ip_forward` - `echo “net.ipv4.ip_forward = 1” | sudo tee -a /etc/sysctl.conf && sysctl -p` - `sudo sysctl net.ipv4.ip_forward = 1` - 指令 1. `iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE` - -s 10.0.0.0/16 : 內部網路 - -o eth0 : 對外 Interface 2. `iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 163.22.22.7` ### SNAT, MASQUERADE implement && Demo > Demo Env: > - ip: 10.22.23.37 > - username: your english name > - pwd: lab default pwd - lxd command - `lxc project switch <your-english-name>` - change current project - `lxc list` - you may see your containers and IP, including: - gateway - server(webserver) - client - ![](https://i.imgur.com/7Svfq4q.png) - ``lxc shell [container-name]` - attach tty to container ### Demo 4 - Use SNAT to forward packet p.43 - Gateway - "iptables -F -t nat" to clean up rules - "iptables -nL -t nat" to list all current rules. - If you don't specify "-t nat", the default only shows the filter table. - iptables-save to display all rules so that you can easily save them to a conf file. - Server - setup gateway on server - get netplan file - netplan ```bash= network: ethernets: eth0: addresses: [SERVER_IP/24] gateway4: GATEWAY_IP nameservers: addresses: - 192.168.2.1 search: - lxd version: 2 ``` - change addresses to current IP(`lxc list`) - change gateway4 to gateway’s IP(`lxc list`) - apply netplan config file - `netplan try`: would rollback after 120 second - `netplan apply`: just apply netplan file at /etc/netplan/*.yaml - mv /etc/netplan/ ### DNAT Commands - `iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.100.10:80` - 把所有 80 port 的服務導向 192.168.100.10:80 - `iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 5000` - redirect 本機的資源,像是Flask:我們用 5000 port 開了 web server,但是希望可以透過 80 port 連線到本機的資源 - 提供 regular user 使用 privileged ports(0~1024) - 只能在 nat table 的 PREROUTING chain, INPUT chain 和 OUTPUT chain 使用 ![](https://i.imgur.com/qnTGDAF.png) --- ### 建議&問題 1. p.32 The diff between chain and table? 2. 3. p.40 comand can be more clear ```bash= echo "1" > /proc/sys/net/ipv4/ip_forward echo “net.ipv4.ip_forward = 1” | sudo tee -a /etc/sysctl.conf && sysctl -p ``` - tee? - 將結果同時輸出到螢幕和檔案 - `-a`, append - Why not use `>>` to do append instead of 2 compicated lines? [name=Solomon] - 在 user mode privilege 不會被繼承 [name=Jerry] - Why not `echo “net.ipv4.ip_forward = 1” | sudo tee -a /etc/sysctl.conf && sysctl -p`? [name=Solomon] - Yes, this will be more clear [name=Jerry] - To solve the I/O redirection issue, sudo bash -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf' - A even simplier way is "sudo sysctl net.ipv4.ip_forward=1" 4. p.40 Presnetation sytle: the indent means the same layer of information [name=Solomon] - 但在這應只有二個方法 5. Ans: ## 待追蹤事項 1. [name=] ## 臨時動議 --- 散會結束時間: 10:16