---------------------
| workstation [enp5s0f0] -- internet
| | ---------------
| [enp5s0f1] -- | switch |
-------------------- | |
[lab-nuc-1] --| |
[lab-nuc-2] --|--------------|
We'll setup a network with subnet 10.0.0.0/24
Add details for a static configration for enp5s0f1
$ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback
auto enp5s0f1
iface enp5s0f1 inet static
address 10.0.0.1
gateway 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
Ugh, I should probably use systemd. Next time, checkout this writeup
isc-dhcp-server seemed to fit the bill for my needs.
sudo apt-get install isc-dhcp-server
Configure isc-dhcp-server to listen on enp5s0f1:
$ cat /etc/default/isc-dhcp-server | grep INTERFACES
INTERFACESv4="enp5s0f1"
INTERFACESv6="enp5s0f1"
Update the dhcp daemon configuration, /etc/dhcp/dhcpd.conf. Highlights include:
subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
range 10.0.0.1 10.0.0.10;
}
authoritative;
Above is enough if you aren't behind a corporate proxy. If you aren't so lucky, you'll want to also explicitly set the DNS details. On the workstation (Bionic), DNS resolution is running locally on 127.0.0.53:54 thanks to systemd-resolve. One way to tell this is being resolved locally by viewing output of nslookup:
$ nslookup google.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: google.com
Address: 172.217.6.78
Name: google.com
Address: 2607:f8b0:4005:80a::200e
Using netstat, I could see "who" is on port 53, and thus who is managing the DNS:
$ sudo netstat -plunt | grep 127.0.0.53
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 909/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 909/systemd-resolve
For systemd-resolve, I can figure out actual servers used if not locally available via status:
$ systemd-resolve --status
Global
...
Link 2 (enp5s0f0)
Current Scopes: DNS
LLMNR setting: yes
MulticastDNS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 10.248.2.1
10.22.224.196
10.3.86.116
DNS Domain: jf.intel.com
Use these servers/domain in our DHCP configuration (/etc/dhcp/dhcpd.conf):
option domain-name "jf.intel.com";
option domain-name-servers 10.248.2.1, 10.22.244.196, 10.3.86.116;
Once setup, restart dhcpd:
sudo systemctl daemon-reload
sudo systemctl restart isc-dhcp-server
Once you have devices attached, you should see their lease information @ /var/lib/dhcp/dhcpd.leases
First, enable ipv4 forwarding by uncommenting appropriate line in /etc/sysctl.conf:
$ sudo cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward=1
Next, setup the following ip table rules:
*nat:
-A POSTROUTING -o enp5s0f0 -j MASQUERADE
While walking through the post-routing NAT table, for packets going out on enp5s0f0, jump to the NAT Masquerade chain. Maquerade will modify the senders address to be the same as the routers IP (SNAT). Basically, no one "outside" the subnet we created knows the sender's original address, so we'll use the same as the gateway's.
*filter:
-A FORWARD -i enp5s0f1 -o enp5s0f0 -j ACCEPT
For packets which are being forwarded with source NUC (5s0f1) and destination 5s0f0 (inernet), take action "accept"
*filter:
-A FORWARD -i enp5s0f0 -o enp5s0f1 -m state --state RELATED,ESTABLISHED -j ACCEPT
For packets being forwarded which come from the internet and are destined for the NUC, only forward if we have an established session already.
On my workstation, I run chameleon socks, which sets up redsocks and a nat table chain, CHAMELEONSOCKS, which will forward non-proxy traffic to a particular port (which redsocks listens on). For more details on it, see gist on chameleonsocks. We want all of our NUC traffic to go through this chain as well, so our transparent proxy is, well, even more transparent! This can be done by adding a jump in our prerouting NAT table to the chameleonsocks chain if the traffic is coming from the NUC facing NIC (5s0f1). This is carried out by the following rule:
*nat
-A PREROUTING -i enp5s0f1 -p tcp -j CHAMELEONSOCKS
Plug in the ethernet cable.
Boot it.