OK this is a bit involved, but any Linux networking gurus out there that could cast an experience eye over my amateurish attempts to set up a Virtual Linux router would be greatly appreciated.
OK some some topology to set the scene :
I have a NAT router, provided by SKY. It's IP is 192.168.0.1 and is the default gateway for most interfaces on my LAN.
I have a linux box, running Centos 7, which has 2 nics. We'll call them eth01 and eth1 for the sake of argument.
eth0 has an IP address 192.168.0.50 netmask 255.255.255.0
eth1 has an IP address 192.168.100.50 netmask 255.255.255.0
I have then added two bridges, for my KVM virtual machine to use.
virbr1 (eth0) ipaddress 192.168.0.51 netmask 255.255.255.0
virbr2 (eth1) ipaddress 192.168.100.51 netmask 255.255.255.0
both bridges have spanning tree protocol enables.
In my virtual machine I also have 2 NICs, we'll call them veth0 and veth1 for the sake of argument.
veth0 has ipaddress 192.168.0.103 netmask 255.255.255.000
veth1 has ipaddress 192.168.100.102 netmask 255.255.255.000
I have enabled packet forwarding.
I have added some rules to iptables to enable this box as a virtual router.
I have also added the router ip as the nameserver to eth0 and this appears in /etc/resolv.conf.
The results are as follows :
I can ping the gateway (192.168.0.1) from the virtual machine, and ping both network cards. I can ping beyond the gateway and can resolve dns names and surf the web.
I now have another machine on my LAN that I want use my virtual router as it's default gateway, and dns server. Then using snort I will monitor traffic on my network, as a kind of IDS. This is the plan.
The other machine on the network, we can call the client and say that it has only 1 nic and ipaddress 192.168.100.105 netmask 255.255.255.000 with a default gateway of 192.168.100.102 and a primary dns server of 192.168.100.102.
This machine can ping the gateway (192.168.100.102) and can ping the NAT router (192.168.0.1), so the virtual router is correctly forwarding and natting the packets.
However I have 2 problems I cannot solve, and would like some help with.
The first problem is that DNS from the client doesn't work.
Wireshark shows that the virtual router is blocking dns. That is to say I can see the DNS request come in from 105 > 102 and then 102 sends to 105 a desination port unreachable. This is strange as on the virtual router I have allowed port 53 (both TCP and UDP in) using ufw (the virtual router machine is running Ubuntu btw). I have also allowed port 53 (any) out.
the results of iptables -L INPUT give
So you can see the default policy is to accept.
The second problem is that my Linux host (the one hosting the virtual router ubuntu box) can no longer resolve dns queries. A wireshark trace shows the dns query come in on 192.168.0.50 but it then forwards it to 192.168.0.51 (the bridge) which then in turn sends it up to the gateway (192.168.0.1) but the response never reaches 192.168.0.50. How can I get 192.168.0.50 to use default gateway and not the bridge (192.168.0.51)?
Thanks for any help you can be as I've spend around 2 weeks of evening and weekend time on this and have now really run out of ideas.
OK some some topology to set the scene :
I have a NAT router, provided by SKY. It's IP is 192.168.0.1 and is the default gateway for most interfaces on my LAN.
I have a linux box, running Centos 7, which has 2 nics. We'll call them eth01 and eth1 for the sake of argument.
eth0 has an IP address 192.168.0.50 netmask 255.255.255.0
eth1 has an IP address 192.168.100.50 netmask 255.255.255.0
I have then added two bridges, for my KVM virtual machine to use.
virbr1 (eth0) ipaddress 192.168.0.51 netmask 255.255.255.0
virbr2 (eth1) ipaddress 192.168.100.51 netmask 255.255.255.0
both bridges have spanning tree protocol enables.
In my virtual machine I also have 2 NICs, we'll call them veth0 and veth1 for the sake of argument.
veth0 has ipaddress 192.168.0.103 netmask 255.255.255.000
veth1 has ipaddress 192.168.100.102 netmask 255.255.255.000
I have enabled packet forwarding.
I have added some rules to iptables to enable this box as a virtual router.
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACC$ route add default gw 192.168.0.1
The results are as follows :
I can ping the gateway (192.168.0.1) from the virtual machine, and ping both network cards. I can ping beyond the gateway and can resolve dns names and surf the web.
I now have another machine on my LAN that I want use my virtual router as it's default gateway, and dns server. Then using snort I will monitor traffic on my network, as a kind of IDS. This is the plan.
The other machine on the network, we can call the client and say that it has only 1 nic and ipaddress 192.168.100.105 netmask 255.255.255.000 with a default gateway of 192.168.100.102 and a primary dns server of 192.168.100.102.
This machine can ping the gateway (192.168.100.102) and can ping the NAT router (192.168.0.1), so the virtual router is correctly forwarding and natting the packets.
However I have 2 problems I cannot solve, and would like some help with.
The first problem is that DNS from the client doesn't work.
Wireshark shows that the virtual router is blocking dns. That is to say I can see the DNS request come in from 105 > 102 and then 102 sends to 105 a desination port unreachable. This is strange as on the virtual router I have allowed port 53 (both TCP and UDP in) using ufw (the virtual router machine is running Ubuntu btw). I have also allowed port 53 (any) out.
the results of iptables -L INPUT give
Code:
Chain INPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere
The second problem is that my Linux host (the one hosting the virtual router ubuntu box) can no longer resolve dns queries. A wireshark trace shows the dns query come in on 192.168.0.50 but it then forwards it to 192.168.0.51 (the bridge) which then in turn sends it up to the gateway (192.168.0.1) but the response never reaches 192.168.0.50. How can I get 192.168.0.50 to use default gateway and not the bridge (192.168.0.51)?
Thanks for any help you can be as I've spend around 2 weeks of evening and weekend time on this and have now really run out of ideas.
Comment