trying to setup a Proxmox machine that is running 3 vms. it has 3 public ips but these ips are on a single interface (eth0).
the 3 vms are on a bridge (vmbr0) with an address of 172.16.0.1/24
I have enable ip masquerading and forwarding. but I cannot figure out how to make each of the 3 vms (172.16.0.2, 172.16.0.3, 172.16.0.4) route out through a specific one of the public ips.
I have tried the standard iproute with 3 tables setting the gateways and rules but no matter what rule i set the vms still route out through the primary ip.
trouble is the 3 public ips are on complete seperate networks so they each have a different gateway. I know how to use iproute to do this if each public ip was on a seperate physical interface but this machine has all 3 on a single interface and iproute doesn't seem to like that because if I do ip route add default via 23.92.26.1 dev eth0:2 table node2 and then later list everything it shows via eth0. so aparently iproute doesn't like psuedo interfaces. I don't know a lot about iptables and I'm sure theres a way to do this with pure iptables but haven't found anything. all my google searches come up with iproute tables wich like i said don't seem to work with a signle interface.
Thank you in advance
considering ProxMox is running Debian try adding something like the following to your /etc/network/interfaces for each of the extra links
post-up route add -net <network identifier> netmask <netmask> gw <links gateway>
pre-down route del -net <network identifier> netmask <netmask> gw <links gateway>
and then with iptables if you want 172.16.0.2 to go through the second ip do like the following: (this is called Source NAT or SNAT) the --to-source specifies what ip you want the outgoing connections remapped to.
iptables -t nat -A POSTROUTING -s 172.16.0.2/24 -j SNAT --to-source <ip address you want it to go out of>
if you want all incoming connections on the same ip to go to 172.16.0.2 then you would also add the following (this is called Destination NAT or DNAT)
iptables -t nat -A PREROUTING -d <ip/mask bit> -j DNAT --to-destination 172.16.0.2
Question:
(1)3VM - 172.16.0.2, 172.16.0.3, 172.16.0.4
(2)Gateway - 172.16.0.1/24
(3)3 publicIP: $IP_A(gateway $IP_A_G), $IP_B(gateway $IP_B_G), $IP_C(gateway $IP_C_G)
(4)Your aim is every VM use the different public IP to visit outsite , suck as:
VM1(172.16.0.2) ----> $IP_A
VM2(172.16.0.3) ----> $IP_B
VM3(172.16.0.4) ----> $IP_C
So , I think you can use ip route to do this:
(1)In Promox(172.16.0.1)
echo "200 IPA" >> /etc/iproute2/rt_tables
echo "201 IPB" >> /etc/iproute2/rt_tables
echo "202 IPC" >> /etc/iproute2/rt_tables
Reboot Promox once .
(2)Create router
ip route del default table IPA
ip route add default via $IP_A_G table IPA
ip route del default table IPB
ip route add default via $IP_B_G table IPB
ip route del default table IPC
ip route add default via $IP_C_G table IPC
(3)Add route for each VM
ip rule add from 172.16.0.2 lookup IPA pref 200
ip rule add from 172.16.0.3 lookup IPB pref 201
ip rule add from 172.16.0.4 lookup IPC pref 202
ip route flush cache
DONE
Related
I am running a system with the following configuration:
NODE A <-> PROXY <-> SWITCH <-> PROXY <-> NODE B
Where node A and its proxy share a common private network, node b and its proxy share a common private network, and the proxy's are connected to the switch.
I have configured each as such:
#nodeA
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip addr add 192.168.0.1/29 dev enp0s8
iptables -t nat --flush
sudo route add default gw 192.168.0.2 enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
#proxy a
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip link set enp0s9 up
ip addr add 192.167.0.1/26 dev enp0s9
ip addr add 192.168.0.2/29 dev enp0s8
sudo sysctl net.ipv4.ip_forward=1
iptables -t nat --flush
sudo route add default gw 192.167.0.2 enp0s9
sudo ip route add 192.168.0.0/29 via 192.168.0.2 dev enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
#proxy B
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip link set enp0s9 up
ip addr add 192.167.0.2/26 dev enp0s9
ip addr add 192.168.0.10/29 dev enp0s8
sudo sysctl net.ipv4.ip_forward=1
iptables -t nat --flush
sudo route add default gw 192.167.0.1 enp0s9
sudo ip route add 192.168.0.8/29 via 192.168.0.10 dev enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
#node B
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip addr add 192.168.0.9/29 dev enp0s8
iptables -t nat --flush
sudo route add default gw 192.168.0.10 enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy OUTPUT ACCEPT
I then have this simple server client code running on NODE A and NODE B just to have some traffic going through the network:
import socket
import sys
#NODE A - SERVER
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.0.1', 10000)
sock.bind(server_address)
while True:
data, address = sock.recvfrom(4096)
print(data.decode())
import socket
import sys
#NODE B - CLIENT
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.0.1', 10000)
while True:
sock.sendto(input("Message to send:").encode(), server_address)
My question is, how can I, at the proxy level intercept these messages to bring them up to the application level so that I can work with them as to add a layer of encryption for example then send them back out to their destination so that the proxy on the other side can decrypt the message.
Thank you
This is a perfectly good debugging loop:
while True:
data, address = sock.recvfrom(4096)
print(data.decode())
Once you see that the right datagrams are arriving,
that loop will be a natural place to forward datagrams
to your favorite destination.
Ensuring that your listening socket was properly bound can be a tricky thing,
given that you have several addresses and interfaces to worry about.
Consider using $ sudo tcpdump -i en0 udp port 10000 to examine
datagrams in flight, before you even run that debugging loop.
You can use the command on the sending host,
on an intermediate transit host,
and on the destination host.
By viewing $ ifconfig -a you may find that an interface besides en0,
perhaps a tunnel interface, is relevant for reading the packets you're interested in.
Once you know certain packets are flowing,
that tends to make it easier to correctly specify the bind() parameters.
I think you're approaching this from the wrong way around. Namely, if you want to "work with" packets on the proxy, then you don't want to be telling the kernel to do any IP level forwarding
the Linux tun/tap interface would let you do this, see here for an example of how this is used with a VPN. although there are Python packages that help if you really want Python code to be doing the work
as a minor side note, I've generally found it an anti-pattern to put sudo onto basically every line of a script as you have. I'd just run the entire script via sudo and just have the code in it assume this is the case.
I am trying to implement wireless access point on my embedded platform. I have implemented some parts like running wireless card as access point, dhcp server and some forwarding rules (via iptables).
I have tried several iptables commands. results of all are the same. The last one I decided to use is:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
Access point runs successfully, clients can connect to it and get ip address. However there is DNS problem. Clients could not resolve the hostnames but they can connect via ip addresses.
DHCP configuration is as below:
interface wlan0
start 192.168.7.11
end 192.168.7.20
max_leases 10
option subnet 255.255.255.0
option router 192.168.7.1
#option dns 192.168.7.2 192.168.7.4
option domain local
option lease 864000
lease_file /conf/udhcpd.leases
#pidfile /tmp/udhcpd.pid
For this configuration, If I use 'option dns 8.8.8.8 8.8.4.4' I can resolve the problem but I need to use the dns of the network. Is there any way to forward the dns address 192.168.7.2 to the dns address of the wired network (eg. 192.168.0.2).
I could not find the DNS routing (eg. 192.168.7.2 to 192.168.0.2). But I have found a way to use the DNS address of the embedded platform on clients.
in DHCP server configuration, I used this option:
option dns 192.168.0.2 192.168.0.4 (conf file are generated when access point is started, so the dns addresses are obtained from the system )
after DHCP server is run, I have run these commands to forward dns addresses:
iptables -A FORWARD --in-interface eth1 -m tcp --sport 53 -j ACCEPT
iptables -A FORWARD --in-interface eth1 -m udp --sport 53 -j ACCEPT
I'm using Shorewall.
How do I enable ping to a specific IP address where the zone containing that IP has ping disabled?
in etc/rules....
Suppose you have a zone dmz and in that zone you have the
external ip address of 67.89.164.199 and the internal ip of 10.0.99.10.
That is the external ip DNAT's to 10.0.99.10
The dmz zone doesn't allow pings from the outside.
Here's what to do:
1) DNAT net dmz:10.0.99.10 icmp 8 - 67.89.164.199
or in other words, send all pings "icmp 8" that come to 67.89.164.199 to 10.0.99.10
2) Ping/ACCEPT net dmz:10.0.99.10
i.e. accept Ping
Allow single ip using
iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
Reference http://www.trickylinux.net/ping-single-ip-linux/
I'm trying to test a gateway I wrote(see What's the easiest way to test a gateway? for context). Due to an issue I'd rather not get into, the gateway and "sender" have to be on the same machine. I have a receiver(let's say 9.9.9.9) which the gateway is able to reach.
So I'll run an application ./sendStuff 9.9.9.9 which will send some packets to that IP address.
The problem is: how do I get the packets destined for 9.9.9.9 to go to the gateway on localhost? I've tried:
sudo route add -host 9.9.9.9 gw 127.0.0.1 lo
sudo route add -host 9.9.9.9 gw <machine's external IP address> eth0
but neither of those pass packets through the gateway. I've verified that the correct IPs are present in sudo route. What can I do?
Per request, here is the route table, after running the second command(IP addresses changed to match the question. x.y.z.t is the IP of the machine I'm running this on):
Destination Gateway Genmask Flags Metric Ref Use Iface
9.9.9.9 x.y.z.t 255.255.255.255 UGH 0 0 0 eth0
x.y.z.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 <gateway addr> 0.0.0.0 UG 100 0 0 eth0
127.0.0.1 is probably picking up the packets, then forwarding them on their merry way if ipv4 packet forwarding is enabled. If it's not enabled, it will drop them.
If you are trying to forward packets destined to 9.9.9.9 to 127.0.0.1, look into iptables.
Edit: try this:
iptables -t nat -A OUTPUT -d 9.9.9.9 -j DNAT --to-destination 127.0.0.1
That should redirect all traffic to 9.9.9.9 to localhost instead.
I have 20 ips from my isp. I have them bound to a router box running centos. What commands, and in what order, do I set up so that the other boxes on my lan, based either on their mac addresses or 192 ips can I have them route out my box on specific ips. For example I want mac addy xxx:xxx:xxx0400 to go out 72.049.12.157 and xxx:xxx:xxx:0500 to go out 72.049.12.158.
Use iptables to setup NAT.
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 72.049.12.157
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 72.049.12.158
This should cause any ips on the 192.168.0.0 subnet to have an 'external' ip of 72.049.12.157 and those on the 192.168.1.0 subnet to have an 'external' ip of 72.049.12.158. For MAC address matching, use -m mac --mac-source MAC-ADDRESS in place of the -s 192.168.0.0/24 argument
Don't forget to activate ip forwarding:
cat /proc/sys/net/ipv4/ip_forward
If the above returns a 0 then it won't work, you'll have to enable it. Unfortunately this is distro-specific and I don't know CentOS.
For a quick hack, do this:
echo 1 > /proc/sys/net/ipv4/ip_forward
What's the router hardware and software version?
Are you trying to do this with a linux box? Stop now and go get a router. It will save you money long-term.
Answering this question with the little information you gave amounts to rewriting a routing Howto here. You could either
read about routing and IP in general (e.g. Linux System Administrator's Guide) or
give us more info on the exact IP addresses you got.
The above answer using NAT is definately not what you intend to use when you have public IP addresses. This solution is not going to scale well.