IP Forwarding Linux

Task 2 Description

In previous task, you already setup your machine and learned about basic networking in Linux Enterprise. Now, you should try to learn about ip forwarding and network namespace in linux.

Example:

1 VM has 1 interface bridge with static IP

1 VM has 2 interface bridge (1 static IP and 1 DHCP)

1. First VM must have internet connection from second VM
2. Second VM get internet from host and forward the internet to first VM.

IP Forwarding

IP forwarding, also known as IP routing, is a networking function that allows a computer to receive incoming network packets, analyze them, and then forward them to their intended destination. This is especially useful in network configurations where the Ubuntu system acts as a router or a gateway between two or more networks.

System Design (Not Yet)

IP Forwarding : Client-Side

Configure Client 🎉

1. Configure a Namespace Network

   • Create linux namespace named ns1

     ​​​​​​​​ip netns add ns1
     

     As you can see from here, we've created the linux namespace.

   • Check the network namespace

     ​​​​​​​​ip -n ns1 link
     

     In this namespace we can see the lo network in container and can't see the host network due to the namespace isolation.

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

   • Configure the veth peer connectivity

     ​​​​​​​​ip link add tipTest2 type veth peer name br-tipTest2
     ​​​​​​​​ip link set tipTest2 netns ns1
     

     I set the name of veth of ns1 is tipTest2 and have peer name for the linux bridge connectivity later named br-tipTest2.

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

   • Configure the veth named tipTest2 attached to ns1

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     After the veth is attached to the namespace, we can see that the interface is no longer visible in host. It means the isolation network function is working.

   • Configure the veth IP Address and make it running

     ​​​​​​​​ip -n ns1 addr add 192.168.158.9/24 dev tipTest2
     ​​​​​​​​ip -n ns1 link set tipTest2 up
     

     Note that we need to exec the namespace by -n option before execute the command. Set the IP static with your internal IP configuration and make sure to change the state to up, in order to make the veth is running.

2. Configure the Linux Bridge

   • Create linux bridge named brTest2

     ​​​​​​​​ip link add brTest2 type bridge
     ​​​​​​​​ip link set dev brTest2 up
     

     As you can see from here, I've add some configuration to make the new bridge is up and running. And also the new fifth interface is can be seen below.

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

   • Configure the brTest2 IP Address and make the running

     ​​​​​​​​ip addr add 192.168.158.10/24 dev brTest2
     

     After we configure the internal IP Address for the bridge. Make sure every interface is up and running.

   • Configure the bridge named brTest2 attached to peer-veth which named br-tipTest2

     ​​​​​​​​ip link set tipTest2-br master brTest2
     

     After the br-tipTest2 is attached to the linux bridge, we can see that the interface is properly master to the brTest2.

   • Validate if the namespace can ping bridge

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     Finally we can connect the interface to the intended namespace network.

3. Bind Linux Bridge to Physical Interface

   • Install the debian package for bridge utilization

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     After that we can use brctl command.

   • Bind the linux bridge brTest2 to the pyshical enp0s3 network as a switch

     ​​​​​​​​ip link set br-tipTest2 master brTest2
     

     We can validate the connection to the physical network is by information master brTest in enp0s8 interface.

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

   • Validate if the namespace can ping server side

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

4. Configure the Routing Process

   • Exec the namespace for configuration process

     ​​​​​​​​ip netns exec blue ns1
     

   • Add route to the second interface on server side

     ​​​​​​​​ip route add 192.168.100.0/23 via 192.168.158.6
     

     Route the connection to the gateway second interface through first interface in server side.

   • Add the first interface as a default gateway

     ​​​​​​​​ip route add default via 192.168.158.6
     

   • Create an IP Table configuration for NAT Connection

     ​​​​​​​​iptables -t nat -A POSTROUTING -s 192.168.158.0 -j MASQUERADE
     

     This configuration make the connection … to …

     Note:
     At this point the client still unable to ping the internet, because the server side still reject the packet to be forwarded. And there's no logic to do the intended task.

IP Forwarding : Server-Side

1. Configure IP Forwarding on Server Side

   • Enable IP Forwarding on VM 1

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →
     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     As you cansee from here, we've created the linux namespace.

   • Validate IP Forwarding on VM 1

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     As you cansee from here, we've created the linux namespace.

   • Disable a Firewall

     Image Not Showing Possible Reasons

     • The image was uploaded to a note which you don't have access to
     • The note which the image was originally uploaded to has been deleted

     Learn More →

     As you cansee from here, we've created the linux namespace.

2. Configure iptables

   • Configure the NAT iptables
     ​​​​​​​​iptables -t nat -A POSTROUTING -s 192.168.158.0/24 -d 0/0 -j MASQUERADE
     

IP Forwarding : Validation

1. Validate the connection from namespace through tipTest2 Interface

   

   As you can see from here, we've established the connetion from namespace trough tipTest2 Interface.

2. Validate the connection from namespace through tipTest2 Interface

   

   As you can see from here, we've established the connetion from Server trough enp0s8 interface.

3. Validate chain packets

   

   The chain packet is up to > 0, means there's packet that use configured iptables.