How to configure a simple router with iptables in Ubuntu

If you have a server with two network cards, you can set a simple router that NATs a private range to a public one, by simply installing iptables and configuring it. This time…

I learned how to configure a simple router with iptables in Ubuntu

Scenario

  1. I have one server with two NICs: eth0 and eth1, and several servers that have at least one NIC (e.g. eth1).
  2. The eth0 NIC is connected to a public network, with IP 111.22.33.44
  3. I want that the other servers have access to the public network through the main server.

How to do it

I will make it using IPTables, so I need to install IPTables

$ apt-get install iptables

My main server has the IP address 10.0.0.1 in eth1. The other servers also have their IPs in the range of 10.0.0.x (either using static IPs or DHCP).

Now I will create some iptables rules in the server, by adding these lines to /etc/rc.local file just before the exit 0 line.

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
iptables -A FORWARD -d 10.0.0.0/24 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/24 -i eth1 -j ACCEPT

These rules mean that:

  1. I want to forward traffic
  2. The traffic that comes from the network 10.0.0.x and is not directed to the network gains access to the internet through NAT.
  3. We forward the traffic from the connections made from the internal network to the origin IP.
  4. We accept the traffic that cames from the internal network and goes to the internal network.

Easier to modify

Here it is a script that you can use to customize the NAT for your site:

ovsnode01:~# cat > enable_nat <<\EOF
#!/bin/bash
IFACE_WAN=eth0
IFACE_LAN=eth1
NETWORK_LAN=10.0.0.0/24

case "$1" in
start)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $IFACE_WAN -s $NETWORK_LAN ! -d $NETWORK_LAN -j MASQUERADE
iptables -A FORWARD -d $NETWORK_LAN -i $IFACE_WAN -o $IFACE_LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s $NETWORK_LAN -i $IFACE_LAN -j ACCEPT
exit 0;;
stop)
iptables -t nat -D POSTROUTING -o $IFACE_WAN -s $NETWORK_LAN ! -d $NETWORK_LAN -j MASQUERADE
iptables -D FORWARD -d $NETWORK_LAN -i $IFACE_WAN -o $IFACE_LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -D FORWARD -s $NETWORK_LAN -i $IFACE_LAN -j ACCEPT
exit 0;;
esac
exit 1
EOF
ovsnode01:~# chmod +x enable_nat
ovsnode01:~# ./enable_nat start

Now you can use this script in the ubuntu startup. Just move it to /etc/init.d and issue the next command:

update-rc.d enable_nat defaults 99 00
Advertisements

How to disable IPv6 in Ubuntu 14.04

I am tired of trying to update Ubuntu and see that it is trying to use the IPv6 that hangs the installation (ocasionally forever). My solution still is to disable IPv6 until it is properly used, so this time…

I learned how to disable IPv6 in Ubuntu 14.04

There are a lot of resources on how to disable IPv6 in Ubuntu 14.04, and this is yet another one (but this is mine).

It is as easy as

$ sudo su -
$ cat >> /etc/sysctl.conf << EOT
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOT
$ sysctl -p

To check if it has worked, you can issue a command like

$ cat /proc/sys/net/ipv6/conf/all/disable_ipv6

If it returns 1, it has been properly disabled. Otherwise try to reboot and check it again.

How to create unprivileged LXC containers in Ubuntu 14.04

I am used to use LXC containers in Ubuntu. But I usually run them under the root user. I think that this is a bad practise, and I want to run them using my user. The answer is: unprivileged containers and this time…

I learned how to create unprivileged LXC containers in Ubuntu 14.04

My prayers were answered very soon and I found a very useful resource from Stéphane Graber (which is the LXC and LXD project leader at Canonical). I am summarizing the steps here, as they have been made by me, but his post is plenty of useful information, and I really recommend reading it to know what is going on.

Starting point…

I had a working Ubuntu 14.04.4 LTS installation, and a working LXC 2.0.0 installation. I was already able to run privileged containers by issuing commands like

$ sudo lxc-start -n mycontainer

 

If you need info about installing LXC 2, please go to this link, but it is possible that you do not need my post, yet.

First we set up the uid and gid mappings

calfonso@mmlin:~$ sudo usermod --add-subuids 100000-165536 calfonso
calfonso@mmlin:~$ sudo usermod --add-subgids 100000-165536 calfonso

Now we authorize our user to bridge devices to lxcbr0 (with a maximum quota of 10 bridges; you can set the number that best fits to you)

calfonso@mmlin:~$ sudo bash -c 'echo "calfonso veth lxcbr0 10" >> /etc/lxc/lxc-usernet'

Now let lxc access our home folder, because it needs to read the configuration file

calfonso@mmlin:~$ sudo chmod +x $HOME

And create the configuration file (you can set your values for the bridges to which you have allowed the access in the configuration file, mac addresses, etc.)

calfonso@mmlin:~$ mkdir -p $HOME/.config/lxc
calfonso@mmlin:~$ cat >> ~/.config/lxc/default.conf << EOT
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
EOT

And finally we are ready to create the unprivileged container

calfonso@mmlin:~$ lxc-create -t download -n myunprivilegedcont -- -d ubuntu -r xenial -a amd64

And that’s all 🙂

(*) Remember that you can still use privileged containers by issuing lxc-* commands using “sudo”

Recommended information

If you want to know more about the uidmap, gidmap, how the bridging permissions work, etc., I recommend you to read this post.