Skip to content

Instantly share code, notes, and snippets.

@Scott31393

Scott31393/Linux_Nat_Routing.md

Last active May 3, 2025 03:02
Show Gist options
  • Save Scott31393/78016e5839fe69e37d20e43c029c84d4 to your computer and use it in GitHub Desktop.
Save Scott31393/78016e5839fe69e37d20e43c029c84d4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Linux_Nat_Routing.md

nat-pc @giuseppe-pagano

Created mercoledì 28 ottobre 2020

$ sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

chain → input forward output (catene)

alle catene è associata una politica di default (INPUT → ACCEPT | OUTPUT → ACCEPT..)

Accettati tutti i pacchetti udp da qualsias posto e destinazione tutte

$ sudo iptables -L

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

$ iptables -P FORWARD ACCEPT

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere

Tabella di NAT

$ sudo iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DOCKER     all  --  0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
RETURN     all  --  192.168.122.0/24     224.0.0.0/24        
RETURN     all  --  192.168.122.0/24     255.255.255.255     
MASQUERADE  tcp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  udp  --  192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0

TABELLE DI ROUTING

$ route -N
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.165.255.254  0.0.0.0         UG    600    0        0 wlan0  ← default gateway
10.165.0.0      0.0.0.0         255.255.0.0     U     600    0        0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

app deve mandare roba da 192.168.122.40 a → match destination ( data dall'and a bit) nella tabella.
destinatione 192.168.122.40 & netmask 255.255.255.0 → 192.168.122.0

--------------------

$ sudo iptables -I POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -t nat

(mascheri solo i pacchetti provenienti da 10.0.0.12 (32--> 255.255.255.255)
MASQUERADE = regola NAT

Con il seguente comando il pc diventa un bridge (puo' essere attraversato da pacchetti) sulla base delle tabelle di rete del pc.

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

SUMMARY

$ iptables -P FORWARD ACCEPT
$ sudo iptables -I POSTROUTING -s 10.0.0.0/24 -j MASQUERADE -t nat
$ sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

TIPS

$ sudo iptables-save > iptable.save
$ sudo iptables-restore < iptable.save

DHCP Server Setup

$ vim /etc/dhcp/dhcpd.conf

line:

# No service will be given on this subnet, but declaring it helps the 
# DHCP server to understand the network topology.

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.11 192.168.1.20; ← range
  option routers 192.168.1.2; ← prima riga tabella di routing (deve essere il pc host)
  option domain-name-servers 8.8.8.8;
#   option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#   filename="linux.img";
}

Se non usi dhcp server e dai a mano un ip alla scheda devi scrivere:

$ route -n
$ ifconfig eth0 10.0.0.20
$ route add default gw 10.0.0.1
$ route -n
$ route del default gw 10.0.0.1

TIPS (WORK)

Setup NAT One should set up NAT instead:

sudo iptables -P FORWARD ACCEPT
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Assigning an IP Then you have to assign IP addresses to yourself:

ifconfig eth0 10.0.0.1 netmask 255.255.255.0 up

Install dhcp daemon Install a dhcp server and add the following text to its config file (in /etc/dhcpd.conf or something similar)

# specify network address and subnetmask
subnet 10.0.0.0 netmask 255.255.255.0 {
    # specify gateway
    option routers 10.0.0.1;
    # specify subnet mask
    option subnet-mask 255.255.255.0;
    # specify the range of lease IP address
    range dynamic-bootp 10.0.0.200 10.0.0.254;
}

Start dhcpd

Then start it /etc/init.d/dhcpd start

sudo systemctl restart isc-dhcp-server

From board side:

route add default gw 10.0.0.1

End

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment