2. Network Configuration

2.1. Ethernet port general parameter configuration

2.1.1. View Ethernet general parameters

Common parameters of Ethernet include: auto-negotiation, duplex mode and interface speed

ethtool eth0

2.1.2. Configure Ethernet general parameters

2.1.2.1. Enable or disable auto-negotiation

ethtool -s port_name autoneg { on | off }

2.1.2.2. Modify duplex mode

ethtool -s port_name duplex { half | full }

Notice:

  • When the Ethernet interface works in auto-negotiation mode, the duplex mode is negotiated with the peer interface by default.

  • When the Ethernet interface works in non-auto-negotiation mode, the duplex mode is full-duplex by default.

2.1.2.3. Modify rate

ethtool -s port_name speed { 10 | 100 | 1000 }

Notice:

  • When an Ethernet interface works in auto-negotiation mode, the interface rate is negotiated with the peer interface by default.

  • When an Ethernet interface works in non-auto-negotiation mode, the default interface rate is the maximum interface rate supported by the interface.

2.1.3. Configuration example

Manually set the interface rate of eth0 to 100 and work in full-duplex mode.

ethtool -s eth0 autoneg off
ethtool -s eth0 speed 100
ethtool -s eth0 duplex full

2.2. Manage the network with Netplan

Netplan is a utility for easily configuring networking on linux systems. You just create a YAML description of the desired network interface and each function that should be configured. According to this description, Netplan will generate all the necessary configuration for the renderer tool of your choice. Supported in Ubuntu 18.04 and above.

2.2.1. Configuration

To configure netplan, save a configuration file in /etc/netplan/ with a .yaml extension (e.g. /etc/netplan/config.yaml), then run sudo netplan apply. This command parses the configuration and applies It applies to the system.

Notice:

  • If netplan apply reports an error, it means that your yaml configuration file is not supported by the system, please check carefully

  • For the Ethernet port, it must be ensured that there is a network cable connected, and the network card light is flashing to ensure that the Netplan configuration takes effect

The following configuration is based on the most commonly used work scenarios. For more configuration case tutorials, please read netplan official examples

2.2.2. Basic configuration

Netplan supports two network backends, networkd and NetworkManager, generally networkd

network:
  version: 2
  renderer: networkd

If networkd does not exist, NetworkManager can be used, all the same.

network:
  version: 2
  renderer: NetworkManager

2.2.3. Ethernet Connection: Dynamic IP

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: yes
    eth1:
      dhcp4: yes

2.2.4. Ethernet Connection: Static IP

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
        - 10.10.10.3/24
      nameservers:
        addresses: [202.96.128.86]
      routes:
        - to: 0.0.0.0/0
          via: 10.10.10.1
    
    eth1:
      addresses:
        - 10.10.10.2/24
      nameservers:
        addresses: [202.96.128.86]
      routes:
        - to: 0.0.0.0/0
          via: 10.10.10.1

2.2.5. WIFI connection: static IP

network:
  version: 2
  renderer: networkd
  wifi:
    wlan0:
      dhcp4: no
      dhcp6: no
      addresses: [192.168.1.200/24]
      nameservers:
        addresses: [202.96.128.86]
      access-points:
        "NETGEAR25":
            password: "ceshizhuanyong"
      routes:
        - to: 0.0.0.0/0
          via: 192.168.1.1

2.2.6. WIFI connection: dynamic IP

network:
  version: 2
  renderer: networkd
  wifi:
    wlan0:
      dhcp4: yes
      access-points:
        "NETGEAR25":
            password: "ceshizhuanyong"

2.3. Manage network with nmcli

nmcli is a command line tool for managing NetworkManager network connections

2.3.1. Common commands

  • show all connections

    nmcli connection show
    
  • Display connection information

    nmcli connection show connection_name
    
  • Display a list of network devices, their status, and connections using the device

    nmcli device
    
  • activate connection

    nmcli connection up connection_name
    
  • Deactivate the connection

    nmcli connection down connection_name
    
  • delete connection

    nmcli connection del connection_name
    

2.3.2. Ethernet Connection: Static IP

Assume that the Ethernet network card is configured as eth0, the IP is 192.168.1.10/24, the default gateway is 192.168.1.1, and the DNS server is 202.96.128.86

  1. Add a new connection for the Ethernet connection

    nmcli connection add con-name Example-Connection ifname eth0 type ethernet
    
  2. Set IPv4 address

    nmcli connection modify Example-Connection ipv4.addresses 192.168.1.10/24
    
  3. Set the IPv4 connection method to manual

    nmcli connection modify Example-Connection ipv4.method manual
    
  4. Set IPv4 default gateway

    nmcli connection modify Example-Connection ipv4.gateway 192.168.1.1
    
  5. Set IPv4 DNS server address

    nmcli connection modify Example-Connection ipv4.dns "202.96.128.86"
    
  6. Activate the connection

    nmcli connection up Example-Connection
    

2.3.3. Ethernet Connection: Dynamic IP

  1. Add a new connection for the Ethernet connection

    nmcli connection add con-name Example-Connection ifname eth0 type ethernet
    
  2. Activate the connection

    nmcli connection up Example-Connection
    

2.3.4. WIFI connection: dynamic IP

  1. Make sure WiFi is enabled (default)

    nmcli radio wifi on
    
  2. Refresh the list of available Wi-Fi connections:

    nmcli device wifi rescan
    
  3. View available Wi-Fi access points:

    nmcli dev wifi list
    
    IN-USE SSID MODE CHAN RATE SIGNAL BARS SECURITY
    ...
            MyCafe Infra 3 405 Mbit/s 85 ▂▄▆█ WPA1 WPA2
    
  4. Connect to the Wi-Fi connection using nmcli:

    nmcli dev wifi connect SSID-Name password wireless-password
    

    E.g:

    nmcli dev wifi connect MyCafe password wireless-password
    

    Note, if you want to disable Wi-Fi status:

    nmcli radio wifi off
    

2.4. Quickly create a wireless AP hotspot

2.4.1. There is no requirement for the IP LAN segment of the wireless hotspot

In this case, just use the nmcli command to create a wireless AP hotspot:

nmcli device wifi hotspot ifname wlan0 con-name MyHostspot ssid MyHostspotSSID password 12345678

illustrate:

  • con-name: connection name: here is set to MyHostspot (customizable)

  • ssid: the name of the AP hotspot created: here is set to MyHostspotSSID (customizable)

  • password: the password of the AP hotspot created: here is set to 12345678 (customizable)

2.4.2. There are requirements for the IP LAN segment of the wireless hotspot

Please read the chapter “Create bridged wireless AP”

2.5. Create bridged wireless AP hotspot

2.5.1. Functional Requirements

Suppose there is a local area network, the network segment is 10.10.0.0, and the mask is 255.255.255.0. Firefly’s development board, hereinafter referred to as Firefly Board, its network port obtains the dynamic IP address in the local area network through the router Router: 10.10.0.2.

Requirements: To configure the system as a soft route, the specific requirements are as follows:

(1) Firefly Board opens a wireless AP hotspot, and peripherals such as tablets and mobile phones access the network through the wireless AP hotspot to access the Internet.

(2) The wireless hotspot LAN enabled by Firefly Board is: 192.168.4.1

(3) If Firefly Board has multiple network ports, eth0 is required as the WAN port function, and the IP address is automatically obtained from the router, and eth1 is used as the LAN port function, which can assign The IP address of the 192.168.4.0/24 network segment.

The network topology is as follows:

_images/wifi-bridge-topology.png

2.5.2. Install the necessary software packages for managing AP hotspots

Install hostapd: hostapd can be used to simulate a soft AP, so it is necessary to achieve this function:

apt install hostapd

Allow hostapd to start on boot, so that the wireless AP hotspot will automatically open after restarting

systemctl unmask hostapd
systemctl enable hostapd

Install isc-dhcp-server: isc-dhcp-server is used to automatically assign IP addresses and DNS server addresses to devices connected to the wireless AP

apt install isc-dhcp-server

Allow isc-dhcp-server to start up

systemctl enable isc-dhcp-server

Install netfilter-persistent iptables-persistent: for saving firewall rules

apt install netfilter-persistent iptables-persistent

Install bridge-utils: for creating virtual bridges

apt install bridge-utils

2.5.3. Configure Netplan

The purpose is to create a bridge br0 with a bridge IP of 192.168.4.1. Allow the system eth0 network card to assign an IP address, prohibit the system from assigning an IP address to the eth1 network card, and bind the eth1 network card to the bridge br0.

Suppose the configuration file of netplan is: /etc/netplan/netplan.yaml, the content is as follows:

network:
        version: 2
        renderer: networkd
        ethernets:
                eth0:
                        dhcp4: yes
                eth1:
                        dhcp4: no

        bridges:
                br0:
                        dhcp4: no
                        addresses:
                                - 192.168.4.1/24
                        interfaces:
                                - eth1

Then run the following command to enable network configuration:

netplan apply

2.5.4. Configure hostapd

Create a hostapd.conf configuration file to set the name, password, channel and other properties of the wireless hotspot

vim /etc/hostapd.conf

Write the following in it:

country_code=CN
interface=wlan0
bridge=br0
ssid=Example-Wifi-Name
hw_mode=g
channel=11
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=12345678
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Important parameter description:

  • country_code: country code, China uses CN

  • interface: enable the wireless network card of the wireless AP hotspot

  • bridge: bind to the br0 bridge, so that the wireless AP hotspot and the Ethernet port are in the same LAN

  • hw_mode: set the wireless mode

  • channel: channel

  • ssid: wireless AP name, here set Example-Wifi-Name

  • wpa_passphrase: Wireless AP password, here is set to 12345678

For more information, the configuration of hostapd.conf is undoubtedly very complicated. The modes supported by hw_mode include a, g, channel channels are related to hw_mode, country_code, etc. Expand. If more automated and tight configuration of these wireless parameters is required, the OpenWRT softrouting system can be used instead of the Ubuntu system.

Next, you need to configure the global configuration file for hostapd

vim /etc/default/hostapd

Uncomment DAEMON_CONF and set its value to /etc/hostapd.conf created above

# Defaults for hostapd initscript
#
# See /usr/share/doc/hostapd/README.Debian for information about alternative
# methods of managing hostapd.
#
# Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration
# file and hostapd will be started during system boot. An example configuration
# file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz
#
DAEMON_CONF="/etc/hostapd.conf"

# Additional daemon options to be appended to hostapd command:-
# -d show more debug messages (-dd for even more)
# -K include key data in debug messages
# -t include timestamps in some debug messages
#
# Note that -B (daemon mode) and -P (pidfile) options are automatically
# configured by the init.d script and must not be added to DAEMON_OPTS.
#
#DAEMON_OPTS=""

Restart the hostapd service

systemctl restart hostapd

At this point, you can already see through the mobile phone and other devices that there is a wireless AP hotspot open, named “Example-Wifi-Name”, but the device cannot be assigned an IP address after the connection, and the device will be disconnected immediately.

2.5.5. Configure isc-dhcp-server

isc-dhcp-server acts as a dhcp server, and automatically assigns IP addresses and DNS server addresses to devices connected to wireless AP nodes, such as Laptop1 and Laptop2 in the topology diagram.

Edit /etc/dhcp/dhcpd.conf,

vim /etc/dhcp/dhcpd.conf

Replace with the following:

# Specify the DNS address for the device, use "," to separate multiple DNS
option domain-name-servers 202.96.128.86,202.96.128.166,8.8.8.8,114.114.114.114;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none; ddns-updates off;

subnet 192.168.4.0 netmask 255.255.255.0 {
    range 192.168.4.2 192.168.4.200;
    option routers 192.168.4.1;
    option broadcast-address 192.168.4.255;
    option subnet-mask 255.255.255.0;
}

Important parameter description:

  • domain-name-servers: DNS server address list, assign DNS for devices connected to the 192.168.4.0/24 network segment

  • subnet 192.168.4.0 netmask 255.255.255.0: defines the subnet segment 192.168.4.0/24

  • range 192.168.4.2 192.168.4.200: assigned IP address range

  • option routers 192.168.4.1: default route

  • option broadcast-address 192.168.4.255: broadcast address

  • option subnet-mask 255.255.255.0: subnet mask

Restart isc-dhcp-server for the configuration to take effect:

systemctl restart isc-dhcp-server

2.5.6. Enable IP forwarding

After the above configuration, the device connected to eth1 and the device connected to the wireless AP hotspot can obtain the IP of the 192.168.4.0/24 network segment, and can ping 192.168.4.1, You can also view the DNS server address obtained by the device. But the device cannot access the internet yet.

Enable IP forwarding

sysctl -w net.ipv4.ip_forward=1

Set MASQUERADE (address spoofing). MASQUERADE and SNAT function roughly the same, MASQUERADE does not need to specify an explicit IP, it will dynamically change the source address of the packet to the IP address available on the specified network card.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Note that it is specified here as eth0, so that all IP packets of Firefly Board are forwarded to eth0, so that peripherals can access the Internet. It can also be specified as any network card that can access the external network, such as 4G network card usb0 , wwan0`, infer other things.

Now save the current firewall rules for IPv4 (including the rules above) and IPv6 to be loaded by the netfilter-persistent service at startup:

netfilter-persistent save

2.6. Configure IP address and routing using ip and netplan

2.6.1. Static IP address configuration

Multiple IP addresses can be configured on a network port interface at the same time. These IP addresses can belong to the same network or not belong to the same network. The first IP address configured is the primary IP address of the interface by default, and the IP address configured later is the secondary IP address of the interface.

2.6.1.1. Common IP configuration commands:

// Set the IP address of the interface
ip address add PREFIX [ broadcast ADDR ] dev IFNAME

// delete the IP address of the interface
ip address del PREFIX dev IFNAME

// View the IP address of the interface
ip address show/list [ dev IFNAME ]

// Clear all IP addresses of the interface
ip address flush [dev IFNAME]

2.6.1.2. Configuration example:

Configure primary IP: 192.168.2.2 for eth0 interface, secondary IP: 192.168.2.3

  • Temporary configuration

    ip address add 192.168.2.2/24 dev eth0
    ip address add 192.168.2.3/24 dev eth0
    
  • Persistent configuration: use Netplan

    network:
      version: 2
      renderer: networkd
      ethernets:
        eth0:
          dhcp4: no
          addresses:
              - 192.168.2.2/24
              - 192.168.2.3/24
    

2.6.2. Dynamic IP address configuration

Operating systems generally automatically assign IP addresses to network interfaces. For the buildroot system, the dhcpcd service will send a dhcp request to the DHCP server (here, the DHCP server is most likely your route) to request the IP address of the interface. In Ubuntu systems, this process is done by NetworkManager.

  • Temporary configuration

    udhcpc -i eth0/eth1
    
    # or
    dhclient eth0/eth1
    
  • Persistent configuration: use netplan

    network:
      version: 2
      renderer: networkd
      ethernets:
        eth0:
          dhcp4: yes
    

2.6.3. Static routing configuration

The opposite of static routing is dynamic routing. Dynamic routing includes OSPF and RIP. These two protocols only exist in routers. For non-router devices, if a destination network segment cannot be reached directly, a static route needs to be configured to tell the device the IP address of the destination network segment, outgoing interface, and next hop.

2.6.3.1. Common configuration commands:

# View routing table
route -n
# or
netstat -rn

# Add IP static route
ip route add PREFIX via ADDRESS dev IFNAME [ metric METRIC ]

# delete IP static route
ip route del PREFIX via ADDRESS dev IFNAME [metric METRIC]

# clear IP route
ip route flush dev IFNAME

2.6.3.2. Configuration example:

Assuming that there is such a network topology, Router1 and Router2 in the figure are our development board devices, and the running system is the Ubuntu operating system. In this network, for Router1, the network segment 192.168.2.0/24 and the network segment 192.168.3.0/24 belong to the directly connected network segment for Router1, which means that for PC-A, the access network segment 192.168.2.0/24 There is no problem with the network segment 192.168.3.0/24, but the network segment 192.168.4.0/24 cannot be accessed. This is because the network segment 192.168.4.0/24 is invisible to Router1. A static route needs to be configured on Router1. This static route indicates that to the destination network segment 192.168.4.0/24, the next IP address is 192.168.3.2/24, and the outgoing interface is eth1 of Router1. Similarly, for Router2, the network segment 192.168.3.0/24 and the network segment 192.168.4.0/24 belong to the directly connected network segment, and PC-B also cannot access the network segment 192.168.2.0/24. It is necessary to configure a static network segment on Router2. The route indicates that to the destination network 192.168.2.0/24, the next hop IP address is 192.168.3.1/24, and the outgoing interface is eth1 of Router2.

_images/router1-20220629170401-d8fx48i.png

  • Temporary configuration

    • For Router1:

      # Enable IP forwarding
      echo 1 > /proc/sys/net/ipv4/ip_forward
      
      # Set the IP address of eth0, eth1
      ip addr add 192.168.2.1/24 dev eth0
      ip addr add 192.168.3.1/24 dev eth1
      
      # configure static routes
      ip route add 192.168.4.0/24 via 192.168.3.2 dev eth1
      
    • For Router2:

      # Enable IP forwarding
      echo 1 > /proc/sys/net/ipv4/ip_forward
      
      # Set the IP address of eth0, eth1
      ip addr add 192.168.4.1/24 dev eth0
      ip addr add 192.168.3.2/24 dev eth1
      
      # configure static routes
      ip route add 192.168.2.0/24 via 192.168.3.1 dev eth1
      
  • persistent configuration

    • For Router1 and Router2, execute the following commands to permanently enable IP forwarding

      sysctl -w net.ipv4.ip_forward=1
      
    • For Router1, configure Netplan

      network:
              version: 2
              renderer: networkd
              ethernets:
                      eth0:
                              addresses:
                                      - 192.168.2.1/24
                      eth1:
                              addresses:
                                      - 192.168.3.1/24
                              routes:
                                      - to: 192.168.4.0/24
                                        via: 192.168.3.2
      
    • For Router2, configure Netplan

      network:
              version: 2
              renderer: networkd
              ethernets:
                      eth0:
                              addresses:
                                      - 192.168.4.1/24
                      eth1:
                              addresses:
                                      - 192.168.3.2/24
                              routes:
                                      - to: 192.168.2.0/24
                                        via: 192.168.3.1
      

2.6.4. Default routing configuration

  • Temporary configuration

    The operating system automatically assigns a default route to an interface that obtains an IP address dynamically through the DCHP service. For static IP address configuration, a default route needs to be set manually for it.

    Or take the above example to explain, assuming that PC-A is a Linux operating system, we need to configure the following:

    # Configure the network card IP, assuming its network card is eth0
    ip addr add 192.168.2.2/24 dev eth0
    
    # configure default route
    ip route add 0.0.0.0/0 via 192.168.2.1 dev eth0
    
  • Persistent configuration: use Netplan

    network:
            version: 2
            renderer: networkd
            ethernets:
                    eth0:
                            addresses:
                                    - 192.168.2.2/24
                            routes:
                                    - to: 0.0.0.0/0
                                      via: 192.168.2.1
    

2.6.5. Adjust default routing order

In the development board with dual network ports, if the IP addresses of the two network ports are automatically obtained through DHCP, the operating system will generate two default routes, each network port has a default route, and the network port of the network cable is inserted first. Or get the IP network port first, and you will get a higher routing priority. As shown below, there are two default routes, and the default route of the eth0 network card has a higher priority than eth1. This means that when the development board communicates by default, it uses the eth0 network card.

root@firefly:~# ip route list
default via 168.168.0.1 dev eth0 proto dhcp metric 100
default via 168.168.0.1 dev eth1 proto dhcp metric 101
168.168.0.0/16 dev eth0 proto kernel scope link src 168.168.110.72 metric 100
168.168.0.0/16 dev eth1 proto kernel scope link src 168.168.110.111 metric 101

2.6.5.1. Configuration example:

Suppose there is a situation, the network segment of Wireless Router1 is 192.168.3.0/24, and the network segment of Wireless Router2 is 192.168.2.0/24. At this time, for Firefly Board, both eth0 and eth1 obtain IP addresses dynamically. If eth0 The default route has a higher priority than the default route of eth1. The default route of eth0 will be used for communication. Since the network where eth0 is located has no external network connection, the Firefly Board cannot access the Internet. At this time, you can modify the priority of the default route. to solve.

_images/router2-20220630162119-lgcya9l.png

The Netplan configuration is as follows. The metric value of eth1 is smaller than that of eth0. The smaller the value, the higher the priority.

network:
        version: 2
        ethernets:
                eth0:
                        dhcp4: yes
                        dhcp4-overrides:
                                route-metric: 200
                eth1:
                        dhcp4: yes
                        dhcp4-overrides:
                                route-metric: 100

2.7. iptables NAT configuration

The network translation technology is also called NAT (Network Address Translation) technology. Its basic function is to realize the translation between private IP addresses and public IP addresses.

In Linux systems, NAT can be refined into SNAT (Source Network Address Translation) and DNAT (Destination network address translation). SNAT, also known as source address translation technology, is used to change the source IP in the IP data packet to the IP address of the router or firewall before the IP data packet reaches the external network when the private network host initiates network communication with the external network host. , so that the external network host cannot know the private network IP address of the internal network host. DNAT, also known as target address translation technology, is used when external network hosts need to access network services provided by internal network hosts, such as http, when IP packets reach routers or firewalls, they will change the target IP in the IP packets to The IP of the private network host that provides network services.

2.7.1. Common commands

We can implement SNAT and DNAT by configuring the nat table of iptables

# View nat rules
iptables -t nat -vnL

# clear nat rules
iptables -t nat -F

# Add a SNAT rule to map the IP of the internal network to the IP of the external network
iptables -t nat -A POSTROUTING -s LocalIP -j SNAT --to-source ExtIP

# Add a DNAT rule to map the IP and port of the external network to the IP and port of the internal network
iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination LocalIP[:PORT]

iptables also supports MASQUERADE (address spoofing), its function is basically the same as SNAT, and it can also play the role of source address translation. In a special case, if the IP address of the external network is not a fixed and long-term valid IP address, such as an IP address dynamically obtained by dialing through pppoe, MASQUERADE can be used to implement source address translation. MASQUERADE does not need to specify an explicit IP, and will dynamically change the source address of the packet to the IP address available on the specified network card.

# Add a MASQUERADE rule to map the IP of the internal network to the IP of the external network card (the internal IP can be omitted here, and by default all the IPs of the internal network are mapped to the IP of the external network card)
iptables -t nat -A POSTROUTING [-s LocalIP] -o IFNAME -j MASQUERADE

2.7.2. Configuration example

Assuming such a network topology exists, use 10.1.0.0/16 to simulate a public network, and use 192.168.1.0/24 to simulate a private network. The machines in the figure are all machines that are simulated with a Linux host.

_images/router3-20220705091939-09uw91m.png

For Router1, it is a router connected to the internal and external networks, and its netplan configuration is as follows:

network:
        version: 2
        renderer: networkd
        ethernets:
                eth0:
                        addresses:
                                - 192.168.1.3/24
                eth1:
                        addresses:
                                - 10.1.0.7/16

At the same time, for Router1, you need to enable the IP forwarding function:

echo 1 > /proc/sys/net/ipv4/ip_forward

For the Internet PC, it is a personal host on the external network, and its netplan configuration is as follows:

network:
        version: 2
        renderer: networkd
        ethernets:
                eth0:
                        addresses:
                                - 10.1.0.6/16

For Web Server, it is a private network server that provides http services. Its netplan configuration is as follows:

network:
        version: 2
        renderer: networkd
        ethernets:
                eth0:
                        addresses:
                                - 192.168.1.100/24
                        routes:
                                - to: 0.0.0.0/0
                                  via: 192.168.1.3/24

2.7.3. SNAT

Requirement: In the current network structure, the internal network host cannot access the external network.

Add a SNAT rule, modify the IP data packets sent by the internal network host to the external network, and change the source IP address to the IP of the 192.168.1.0/24 network segment to 10.1.0.7

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 10.1.0.7

Authentication method:

  • Web Server on the internal network, ping the Internet PC on the external network

    ~ ping -c 4 10.1.0.6 ok
    PING 10.1.0.6 (10.1.0.6) 56(84) bytes of data.
    64 bytes from 10.1.0.6: icmp_seq=1 ttl=63 time=2.15 ms
    64 bytes from 10.1.0.6: icmp_seq=2 ttl=63 time=2.12 ms
    64 bytes from 10.1.0.6: icmp_seq=3 ttl=63 time=1.99 ms
    64 bytes from 10.1.0.6: icmp_seq=4 ttl=63 time=2.14 ms
    
    --- 10.1.0.6 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 7ms
    rtt min/avg/max/mdev = 1.989/2.098/2.147/0.063 ms
    
  • Web Server on the intranet, capture packets

    root@firefly:/# tcpdump -i eth1 -nn icmp
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
    03:33:37.503348 IP 10.1.0.7 > 10.1.0.6: ICMP echo request, id 53287, seq 1, length 64
    03:33:37.503603 IP 10.1.0.6 > 10.1.0.7: ICMP echo reply, id 53287, seq 1, length 64
    03:33:38.503348 IP 10.1.0.7 > 10.1.0.6: ICMP echo request, id 53287, seq 2, length 64
    03:33:38.503560 IP 10.1.0.6 > 10.1.0.7: ICMP echo reply, id 53287, seq 2, length 64
    03:33:39.504601 IP 10.1.0.7 > 10.1.0.6: ICMP echo request, id 53287, seq 3, length 64
    03:33:39.504812 IP 10.1.0.6 > 10.1.0.7: ICMP echo reply, id 53287, seq 3, length 64
    03:33:40.505347 IP 10.1.0.7 > 10.1.0.6: ICMP echo request, id 53287, seq 4, length 64
    03:33:40.505557 IP 10.1.0.6 > 10.1.0.7: ICMP echo reply, id 53287, seq 4, length 64
    

2.7.4. DNAT

Requirements: The intranet Web Server provides http services, and the external network host wants to access the web pages of the intranet.

Add a DNAT rule, modify the IP data packets sent from the external network to the internal network, and change the destination IP address and port number to the IP and port number of the internal network web server.

iptables -t nat -A PREROUTING -d 10.1.0.7 -p tcp --dport 8000 -j DNAT --to-destination 192.168.1.100:8000

Authentication method:

  • Access the web services of the intranet Web Server from the Internet PC on the external network

    root@firefly:/# wget http://10.1.0.7:8000/index.html
    --2021-02-19 03:31:12-- http://10.1.0.7:8000/index.html
    Connecting to 10.1.0.7:8000... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 41323 (40K) [text/html]
    Saving to: ‘index.html’
    
    index.html 100%[==================>] 40.35K --.-KB/s in 0.001s
    
    2021-02-19 03:31:12 (29.8 MB/s) - ‘index.html’ saved [41323/41323]
    

2.7.5. MASQUERADE

Requirements: If Router1 is connected to the internal and external network, it has only one external network card, which is eth1, and the IP address is dynamically obtained.

Solution: Add a MASQUERADE rule to send IP packets from the intranet 192.168.1.0/24 to the external network, and modify the source IP address to the IP address of the eth1 network card.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE

2.8. iptables filter configuration

The filter table (filtering rule table) of iptables is used to control whether data packets are allowed to enter, exit and forward. The links that the filter table can control are INPUT, FORWARD, and OUTPUT. Commonly used actions are ACCEPT, DROP, REJECT.

2.8.1. General commands

# Clear the filter table
iptables -t filter -F

# show filter table
iptables -t filter -nvL

2.8.2. ACCEPT: allow packets to pass through

Configuration example: By default, ssh uses port 22 for tcp communication. If you want to enable remote access, you need to enable tcp connection on port 22.

iptables -A INPUT -t filter -p tcp --dport 22 -j ACCEPT

Enable ssh access and allow access from the 192.168.0.0/24 network segment

iptables -A INPUT -t filter -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

Enable ssh access to allow received packets from the eth0 network card

iptables -A INPUT -t filter -p tcp -i eth0 --dport 22 -j ACCEPT

Enable ssh access to allow the host with the MAC address of 00:50:8D:FD:E6:32 in the 192.168.0.0/24 network segment to access

iptables -A INPUT -t filter -p tcp -s 192.168.0.0/24 --dport 22 -m mac --mac-source 00:50:8D:FD:E6:32 -j ACCEPT

2.8.3. REJECT: Deny the packet to pass

The common option for REJECT action is –reject-with (using the –reject-with option, you can set a prompt message, when the other party is rejected, it will prompt the other party why it was rejected)

For the ICMP protocol, the available values are as follows, if not provided, it defaults to icmp-port-unreachable

icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable,
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-pro-hibited
icmp-admin-prohibited

Configuration example: reject external ping and prompt “Destination Host Unreachable”

iptables -A INPUT -t filter -p icmp -j REJECT --reject-with icmp-host-unreachable

2.8.4. DROP: drop packets

Configuration example: directly discarding external ping packets

iptables -A INPUT -t filter -p icmp -j DROP