• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Help with Linux Networking

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Help with Linux Networking

    OK this is a bit involved, but any Linux networking gurus out there that could cast an experience eye over my amateurish attempts to set up a Virtual Linux router would be greatly appreciated.

    OK some some topology to set the scene :

    I have a NAT router, provided by SKY. It's IP is 192.168.0.1 and is the default gateway for most interfaces on my LAN.

    I have a linux box, running Centos 7, which has 2 nics. We'll call them eth01 and eth1 for the sake of argument.

    eth0 has an IP address 192.168.0.50 netmask 255.255.255.0
    eth1 has an IP address 192.168.100.50 netmask 255.255.255.0

    I have then added two bridges, for my KVM virtual machine to use.

    virbr1 (eth0) ipaddress 192.168.0.51 netmask 255.255.255.0
    virbr2 (eth1) ipaddress 192.168.100.51 netmask 255.255.255.0

    both bridges have spanning tree protocol enables.

    In my virtual machine I also have 2 NICs, we'll call them veth0 and veth1 for the sake of argument.

    veth0 has ipaddress 192.168.0.103 netmask 255.255.255.000
    veth1 has ipaddress 192.168.100.102 netmask 255.255.255.000

    I have enabled packet forwarding.

    I have added some rules to iptables to enable this box as a virtual router.

    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACC$
    route add default gw 192.168.0.1
    I have also added the router ip as the nameserver to eth0 and this appears in /etc/resolv.conf.

    The results are as follows :

    I can ping the gateway (192.168.0.1) from the virtual machine, and ping both network cards. I can ping beyond the gateway and can resolve dns names and surf the web.

    I now have another machine on my LAN that I want use my virtual router as it's default gateway, and dns server. Then using snort I will monitor traffic on my network, as a kind of IDS. This is the plan.

    The other machine on the network, we can call the client and say that it has only 1 nic and ipaddress 192.168.100.105 netmask 255.255.255.000 with a default gateway of 192.168.100.102 and a primary dns server of 192.168.100.102.

    This machine can ping the gateway (192.168.100.102) and can ping the NAT router (192.168.0.1), so the virtual router is correctly forwarding and natting the packets.

    However I have 2 problems I cannot solve, and would like some help with.

    The first problem is that DNS from the client doesn't work.

    Wireshark shows that the virtual router is blocking dns. That is to say I can see the DNS request come in from 105 > 102 and then 102 sends to 105 a desination port unreachable. This is strange as on the virtual router I have allowed port 53 (both TCP and UDP in) using ufw (the virtual router machine is running Ubuntu btw). I have also allowed port 53 (any) out.

    the results of iptables -L INPUT give

    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ufw-before-logging-input  all  --  anywhere             anywhere            
    ufw-before-input  all  --  anywhere             anywhere            
    ufw-after-input  all  --  anywhere             anywhere            
    ufw-after-logging-input  all  --  anywhere             anywhere            
    ufw-reject-input  all  --  anywhere             anywhere            
    ufw-track-input  all  --  anywhere             anywhere
    So you can see the default policy is to accept.

    The second problem is that my Linux host (the one hosting the virtual router ubuntu box) can no longer resolve dns queries. A wireshark trace shows the dns query come in on 192.168.0.50 but it then forwards it to 192.168.0.51 (the bridge) which then in turn sends it up to the gateway (192.168.0.1) but the response never reaches 192.168.0.50. How can I get 192.168.0.50 to use default gateway and not the bridge (192.168.0.51)?

    Thanks for any help you can be as I've spend around 2 weeks of evening and weekend time on this and have now really run out of ideas.
    Last edited by suityou01; 2 January 2016, 11:29.
    Knock first as I might be balancing my chakras.

    #2
    Have you tried switching it off and on again?

    Comment


      #3
      What version of Ubuntu are you using ? My experience of U12.04 was that dns is tuliped on this system.

      Boo

      Comment


        #4
        Originally posted by Boo View Post
        What version of Ubuntu are you using ? My experience of U12.04 was that dns is tuliped on this system.

        Boo
        XUbuntu 12.04

        DNS is working fine on the box itself.
        Knock first as I might be balancing my chakras.

        Comment


          #5
          Adding the default gw to the bridge as well as the bridged interface solves the dns problem from the host. I think to be fair once you bridge an interface, it then sends it's packets over the bridge, so essentially it's own default gateway becomes defunct. Kind of makes sense in my brain this way.

          The DNS problem on the client remains, but I have a work around for now which is to use the NAT Router address for now. Dirty hack, but the IDS is promiscuous and picks up the DNS packets just the same so the end result is workable.

          If anyone has anything to add (that's vaguely more helpful than the IT crowd's iconic suggestion ) then please pour forth your wisdom.
          Knock first as I might be balancing my chakras.

          Comment


            #6
            Does the Sky Router know about the network behind the virtual router? You may need to put a static route into the Sky Router, or enable some sort of routing protocol, OSPF, RIP or something.
            Politicians are wonderfull people, as long as they stay away from things they don't understand, like working for a living!

            Comment

            Working...
            X