Custom Search

Wednesday, July 23, 2014

Introduction to Network Namespace, Default Gateway and ARP Table with VirtualBox Virtual Machine

A)
Setup the network namespace

1)
Add a namespace
#sudo ip netns add myns1

2)
List all namespaces
#ip netns list

3)
Execute commands in a namespace
#sudo ip netns exec myns1

4)
Check all the interfaces and their IP in the namespace "myns1"
#sudo ip netns exec myns1 ifconfig -a
#sudo ip netns exec myns1 ip link list

5)
Create veth interface pairs (veth0 and veth1) in global namespace (VirtualBox VM)
#sudo ip link add veth0 type veth peer name veth1

6)
List and check veth pairs created in the global namespace (VirtualBox VM)
#ip link list
OR
#ifconfig -a

* At this point the interface veth0 and "veth1" don't have any IP,So don't belongs to any network.

7)
If you want to connect the global namespace (VirtualBox VM) to the "myns1" namespace, you will need to move one of the veth interfaces to the "myns1" namespace using this command.
#sudo ip link set veth1 netns myns1

8)
Check namespace "myns1", there you can see the moved interface "veth1".
#sudo ip netns exec myns1 ip link
OR
#sudo ip netns exec myns1 ifconfig -a

* At this point the interface "veth1" doesn't have any IP, So doesn't belongs to any network.
* If you run "#ip link list" or "#ifconfig -a" in global namespace, you can't see the "veth1" interface, since it moved to namespace "myns1".

9)
List routing table in the namespace "myns1"
#sudo ip netns exec myns1 route -n
OR
#sudo ip netns exec myns1 ip route list

* At this point, this will be empty.

10)
Assign an IP "10.1.1.2" to "veth1" interface OR Add the interface "veth1" to a network "10.1.1.2/24 or 10.1.1.x".
#sudo ip netns exec myns1 ifconfig veth1 10.1.1.2/24 up

11)
List routing table in the namespace "myns1"
#sudo ip netns exec myns1 route -n
OR
#sudo ip netns exec myns1 ip route list

* At this point you can see the network "10.1.1.2/24 or 10.1.1.x" with interface "veth1" in the routing table.

#sudo ip netns exec myns1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1

12)
List routing table in the global namespace (VirtualBox VM)
#route -n
OR
#ip route list

* You can see the "veth0" not there in the routing table. So we need to add it.

13)
Assign an IP "10.1.1.3" to "veth0" interface OR Add the interface "veth0" to the same network "10.1.1.2/24 or 10.1.1.x" of "veth1".
#sudo ifconfig veth0 10.1.1.3/24 up

* Note: "veth0" and "veth1" should be in same network "10.1.1.2/24 or 10.1.1.x".

14)
List routing table in the global namespace (VirtualBox VM)
#route -n
OR
#ip route list

* At this point you can see the network "10.1.1.2/24 or 10.1.1.x" with interface "veth0" in the routing table.

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth0
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

15)
Test IPs
* Ping to interface "veth0" in the global namespace from global namespace
#ping 10.1.1.3

*Ping to interface "veth1" in the "myns1" namespace from global namespace
#ping 10.1.1.2

* Ping to interface "veth0" in the global namespace from "myns1" namespace
#sudo ip netns exec myns1 ping 10.1.1.3

B)
Testing

1)
Start tshark to caputre the packets from the "veth1" inferface in the network namespace "myns1"
#sudo ip netns exec myns1 tshark -i veth1 icmp

2)
Start tshark to caputre the packets from the "veth0" interface in the global network namespace
#sudo tshark -i veth0 icmp

3)
Check Routing Table in the network namespace "myns1"
#sudo ip netns exec myns1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1

* Note: This routing table doesn't have default gateway. So we can't ping to other network from this namespace "myns1". We can only ping to the network 10.1.1.x.

4)
Check ARP Table in the network namespace "myns1"
#sudo ip netns exec myns1 arp -a
? (10.1.1.3) at 52:14:8c:a0:4f:ea [ether] on veth1

* See it has only one entry that map the IP:10.1.1.3 to MAC:52:14:8c:a0:4f:ea
* Actually this entry is for the interface "veth1" (10.1.1.3) in the global namespace.

4,a)
You can delete that entry from ARP table like
#sudo ip netns exec myns1 arp -d 10.1.1.3

4,b)
Check ARP table again
#sudo ip netns exec myns1 arp -a
? (10.1.1.3) at on veth1

* Note the , that means IP:10.1.1.3 doen't map to any MAC.

4,c)
Ping to 10.1.1.3 to add/update the ARP table from the IP:10.1.1.3

#sudo ip netns exec myns1 ping 10.1.1.3

4,d)
Again check the ARP Table in the network namespace "myns1"

#sudo ip netns exec myns1 arp -a
? (10.1.1.3) at 52:14:8c:a0:4f:ea [ether] on veth1

* Now you can see the IP amd MAC map, IP:10.1.1.3 to MAC:52:14:8c:a0:4f:ea

5)
Find the IP and MAC of interface veth0 and veth1


5,a)
IP and MAC of interface veth0 in the global namespace
(VirtualBox VM)
#ifconfig -a veth0
veth0     Link encap:Ethernet  HWaddr 52:14:8c:a0:4f:ea 
          inet addr:10.1.1.3  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5014:8cff:fea0:4fea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1158 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1848 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64991 (64.9 KB)  TX bytes:150257 (150.2 KB)

* IP : 10.1.1.3
* MAC : 52:14:8c:a0:4f:ea

5,b)
IP and MAC of interface veth1 in the namespace "myns1"

#sudo ip netns exec myns1 ifconfig -a veth1
veth1     Link encap:Ethernet  HWaddr 8e:a6:de:48:bf:a2 
          inet addr:10.1.1.2  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::8ca6:deff:fe48:bfa2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1848 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1158 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:150257 (150.2 KB)  TX bytes:64991 (64.9 KB)

* IP : 10.1.1.2
* MAC : 8e:a6:de:48:bf:a2

6)
ping to veth0 (10.1.1.3) in the global network namespace from network
namespace "myns1" and check the packets flowing through the interface "veth0" and "veth1".
#sudo ip netns exec myns1 ping 10.1.1.3
PING 10.1.1.3 (10.1.1.3) 56(84) bytes of data.
64 bytes from 10.1.1.3: icmp_seq=1 ttl=64 time=0.062 ms

* Ping working

6,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000     10.1.1.2 -> 10.1.1.3     ICMP 98 Echo (ping) request  id=0x680d, seq=1/256, ttl=64
2   0.000039     10.1.1.3 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x680d, seq=1/256, ttl=64 (request in 1)

* request abd reply are working well
* Here you can see that packet flowing from 10.1.1.2 -> 10.1.1.3

6,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000     10.1.1.2 -> 10.1.1.3     ICMP 98 Echo (ping) request  id=0x680d, seq=1/256, ttl=64
2   0.000031     10.1.1.3 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x680d, seq=1/256, ttl=64 (request in 1)

* request abd reply are working well
* Here you can see that packet flowing from 10.1.1.2 -> 10.1.1.3

7)
Ping to an unknown IP (10.1.1.6) in the same network "10.1.1.x" from namespace "myns1"

#sudo ip netns exec myns1 ping 10.1.1.6
PING 10.1.1.6 (10.1.1.6) 56(84) bytes of data.
From 10.1.1.2 icmp_seq=1 Destination Host Unreachable

* Ping not works. Destination Host Unreachable

7,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1
"
#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000 8e:a6:de:48:bf:a2 -> Broadcast    ARP 42 Who has 10.1.1.6?  Tell 10.1.1.2
2   0.998262 8e:a6:de:48:bf:a2 -> Broadcast    ARP 42 Who has 10.1.1.6?  Tell 10.1.1.2

Note:
* Here "8e:a6:de:48:bf:a2" is the MAC of interface "veth1" (10.1.1.2) in the namespace "myns1".
* Here you can see that packet flowing from 8e:a6:de:48:bf:a2 to-> Broadcast

7,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000 8e:a6:de:48:bf:a2 -> Broadcast    ARP 42 Who has 10.1.1.6?  Tell 10.1.1.2
2   0.998262 8e:a6:de:48:bf:a2 -> Broadcast    ARP 42 Who has 10.1.1.6?  Tell 10.1.1.2

* Here you can see that packet flowing from 8e:a6:de:48:bf:a2 to-> Broadcast

7,c)
Check ARP Table in the network namespace "myns1"

#sudo ip netns exec myns1 arp -a
? (10.1.1.3) at 52:14:8c:a0:4f:ea [ether] on veth1
? (10.1.1.6) at on veth1

* You can see the entry for the IP:10.1.1.6, but MAC is . That means could not able to find a machine with IP:10.1.1.6 in the network 10.1.1.x.

8)
Ping to an IP:192.168.56.101 in the different network "192.168.56.x" from namespace "myns1"

#sudo ip netns exec myns1 ping 192.168.56.101
connect: Network is unreachable

OR

#sudo ip netns exec myns1 ping www.google.com
ping: unknown host www.google.com

8,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp

* Packets will not come here

8,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp

* Packets will not come here

8,c)
Check Routing Table in the network namespace "myns1"

#sudo ip netns exec myns1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1

* Here we can't find any gateway.
* Here we need to add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.
* Note: We can use the interface "veth0" (10.1.1.3) in the global namespace as the gateway for the namespace "myns1".
* Note, "veth0" and "veth1" are veth pairs.

8,d)
Add a default gateway to flow packets which are not destined for the network 10.1.1.x to outside.

#sudo ip netns exec myns1 route add default gw 10.1.1.3 veth1


8,e)
Check Routing Table in the network namespace "myns1"

#sudo ip netns exec myns1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.1.3        0.0.0.0         UG    0      0        0 veth1
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1


8,f )
Howto gateway allow and deny packets
http://fosshelp.blogspot.in/2014/07/howto-network-gateway-allow-and-deny.html

9)
Again Ping to the IP:192.168.56.101 in the different network "192.168.56.x" from namespace "myns1" after adding the default gateway

#sudo ip netns exec myns1 ping 192.168.56.101
PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_seq=1 ttl=64 time=0.063 ms

* Ping works. That means the network "192.168.56.x" is reachable form the namespace "myns1"
* Note: The network "192.168.56.x"mis defined in the routing in the global namespace.

9,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000     10.1.1.2 -> 192.168.56.101 ICMP 98 Echo (ping) request  id=0x7076, seq=1/256, ttl=64
1   2   0.000041 192.168.56.101 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x7076, seq=1/256, ttl=64 (request in 1)

* Here you can see that packet flowing from 10.1.1.2 to-> 192.168.56.101

* Here we can see request and reply packets
* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2 .

9,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000     10.1.1.2 -> 192.168.56.101 ICMP 98 Echo (ping) request  id=0x7076, seq=1/256, ttl=64
1   2   0.000033 192.168.56.101 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x7076, seq=1/256, ttl=64 (request in 1)

* Here you can see that packet flowing from 10.1.1.2 -> 192.168.56.101

* Here we can see request and reply packets
* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2.

9,c)
Check Routing Table in the global namespace. Routing table in the VirtualBox VM.

#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth0
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Note:
* Here i am using VirtualBox VM to test this.
* Here the network 10.0.2.x is VirtualBox NAT network.
* Here the network 10.1.1.x is the network I created for the namespace "myns1".
* Here the network 192.168.56.x is the HostOnly Network of VirtualBox.
* Here the gateway IP:10.0.2.2 belongs to the VirtualBox NAT network 10.0.2.x.
* Here 192.168.56.101 is the IP of this VirtualBox VM.
* Here the routing table will redirect the packets destined:192.168.56.101 and sourced:10.1.1.2 to network 192.168.56.x

10)
Ping to the IP:11.1.1.5 in the different network "11.1.1..x" from namespace "myns1" after adding the default gateway


* Note: the network 11.1.1.x doesn't exist. 
 
#sudo ip netns exec myns1 ping 11.1.1.5
PING 11.1.1.5 (11.1.1.5) 56(84) bytes of data <== Hung

* Ping not works.
* Note, Here the network 11.1.1.x doen't exist in the routing table in the global namespace. So the packets will forwarded to the default gateway "10.0.2.2" defined in the routing table in the global namespace. Please check the routing table defined in the global namespace.

10,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=1/256, ttl=64
2   1.008958     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=2/512, ttl=64


* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "veth0", somewhere reply packets got dropped.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2.

10,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=1/256, ttl=64
2   1.008957     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=2/512, ttl=64



* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "veth0", somewhere reply packets got dropped.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2.

10,c)
Capture the Packets flowing through the interface "eth0" in the global namespace (VirtualBox VM).

#sudo tshark -i eth0
icmp
1   0.000000     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=1/256, ttl=63
2   1.008950     10.1.1.2 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x734a, seq=2/512, ttl=63

* Here "eth0" is the interface where default gateway is connected. Please check the routing table in the global namespace.


* You can see that our packets are flowing through this "eth0" interface, that means the routing table in the global namespace forwarding the packets to default gateway "10.0.2.2", because the destination IP:11.1.1.5 of the packet doesn't belongs to any networks defined in the routing table in the global namespace. Please check the routing table in the global namespace.


* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "veth0", somewhere reply packets got dropped.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2.

10,d)
Capture the Packets flowing through the interface "wlan0" in the Host Machine (My laptop).

#sudo tshark -i wlan0 icmp 

1   1.000145 192.168.0.131 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x2008, seq=132/33792, ttl=62
2   1.999461 192.168.0.131 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x2008, seq=133/34048, ttl=62
3   2.999875 192.168.0.131 -> 11.1.1.5     ICMP 98 Echo (ping) request  id=0x2008, seq=134/34304, ttl=62

* Note: "wlan0" interface is connected to INTERNET via WIFI 
* Here 192.168.0.131 is the IP of wlan0 interface

* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "wlan0", somewhere reply packets got dropped in the INTERNET.

* IMP Note: Here Source IP of the Packet got changed from 10.1.1.2 to 192.168.0.131, that means, we are doing SNAT or MASQUERADE before pushing the packets to the "wlan0" interface. I think VirtualBox doing this SNAT or MASQUERADE.

11)
Find the IP of the www.google.com and Ping to that IP from namespace "myns1"
 
after adding the default gateway

IP of the www.google.com is 173.194.127.147

#sudo ip netns exec myns1 ping 173.194.127.147
PING 173.194.127.147 (173.194.127.147) 56(84) bytes of data.

* Ping not works.
* Note, Here the network 173.194.127.x doen't exist in the routing table in the global namespace. So the packets will forwarded to the default gateway "10.0.2.2" defined in the routing table in the global namespace.

11,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=1/256, ttl=64
2   1.007237     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=2/512, ttl=64


* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "veth1", somewhere reply packets got dropped.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2. 

11,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=1/256, ttl=64
2   1.007330     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=2/512, ttl=64


* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "veth0", somewhere reply packets got dropped.
  
* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2. 

11,c)
Capture the Packets flowing through the interface "eth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i eth0
icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=1/256, ttl=63
2   0.190104 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.1.1.2?  Tell 10.0.2.2
3   1.007366     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x744f, seq=2/512, ttl=63
4   1.648765 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.1.1.2?  Tell 10.0.2.2

* Here "eth0" is the interface where default gateway is connected. Please check the routing table in the global namespace.


* You can see that our packets are reaching at this "eth0" interface, that means the routing table in the global namespace forwarding the packets to default gateway "10.0.2.2", because the destination IP:173.194.127.147 doesn't belongs to any networks defined in the routing table in the global namespace. Please check the routing table in the global namespace.


* See, we can see only request packets, no response/reply packets. That means response/reply packets are not flowing to this interface "eth0", somewhere reply packets got dropped.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2.

11,d)
Capture the Packets flowing through the interface "wlan0" in the Host Machine (My laptop).

#sudo tshark -i wlan0 icmp
1   0.000000 192.168.0.131 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x2133, seq=23/5888, ttl=62
2   0.094715 173.194.127.147 -> 192.168.0.131 ICMP 98 Echo (ping) reply    id=0x2133, seq=23/5888, ttl=53 (request in 1)
3   1.000054 192.168.0.131 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x2133, seq=24/6144, ttl=62
4   1.091640 173.194.127.147 -> 192.168.0.131 ICMP 98 Echo (ping) reply    id=0x2133, seq=24/6144, ttl=53 (request in 3)


* Note: "wlan0" interface is connected to INTERNET via WIFI 
* Here 192.168.0.131 is the IP of wlan0 interface

* See, we can see both request and response packets. That means the IP:173.194.127.147 is reachable in the INTERNET.

* IMP Note: Here Source IP of the Packet got changed from 10.1.1.2 to 192.168.0.131, that means, we are doing SNAT or MASQUERADE before pushing the packets to the "wlan0" interface. I think VirtualBox doing this SNAT or MASQUERADE.

* IMP Note: Destination IP of the reply packet is 192.168.0.131, because in request packet source IP was 192.168.0.131. I already motioned that VirtualBox did this SNAT or MASQUERADE in the request packet, so again the VirtualBox will do the de-SNAT or de-MASQUERADE and change destination IP of the reply packet form 192.168.0.131 to 10.1.1.2 before pushing the packet to the "eth0" interface in the VirtualBox VM.But here the VirtualBox can't push the reply packet to eth0 interface, since the destination IP of the reply packet is 10.1.1.2 and IP of the eth0 interface is 10.0.2.15 (different network).

* Solution for this issue is add SNAT or MASQUERADE NAT iptables rule in the VirtualBox VM and change the source IP address of the request packet to 10.0.2.15 (IP of eth0 interface) before pushing to the eth0 interface in the VirtualBox VM, so later when reply packets come, VirtualBox can de-SNAT or de-MASQUERADE reply packet and change destination IP from 192.168.0.131 to 10.0.2.15 and push the to eth0 (10.0.2.15) interface. Then our SNAT or MASQUERADE iptables rules in the VirtualBox VM again de-SNAT or de-MASQUERADE reply packet and change destination IP from 10.0.2.15 to 10.1.1.2 and route to "veth1" interface  (network 10.1.1.x) in the VirtualBox VM. from there reply packet will reach to interface "veth0" (10.1.1.2) in the namespace "myns1".

11,e)
Add MASQUERADE rule to POSTROUTING chain of the NAT table for the interface "eth0" (in the VirtualBox VM) and test the ping again from the namespace "myns1" to 173.194.127.147 (www.google.com)


a)
Check rules in the POSTROUTING chain of the NAT table in the VirtualBox VM

#sudo iptables -t nat -L POSTROUTING -nv

b)
Add MASQUERADE target rule in the POSTROUTING chain of the NAT table for the interface "eth0" (in VirtualBox VM).

#sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

* Note: I haven't specified the protocol "-p tcp" here, So it will allow all including ICMP (Ping), or you can add "-p icmp" if you want to test only the Ping.

c)
Check rules in the POSTROUTING chain of the NAT table in the VirtualBox VM

#sudo iptables -t nat -L POSTROUTING -nv
Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target     prot opt in     out     source               destination 
1    84 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0 <===

d)
Ping to 173.194.127.147 (www.google.com) from the namespace "myns1" in the VirtualBox VM.

#sudo ip netns exec myns1 ping 173.194.127.147
PING 173.194.127.147 (173.194.127.147) 56(84) bytes of data.
64 bytes from 173.194.127.147: icmp_seq=1 ttl=61 time=108 ms
64 bytes from 173.194.127.147: icmp_seq=2 ttl=61 time=111 ms

* Ping works here

e)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1 icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x332a, seq=1/256, ttl=64
2   0.108731 173.194.127.147 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x332a, seq=1/256, ttl=61 (request in 1)

* See request and reply packets are flowing through "veth1" interface.
* We don't need any NAT here, since for namespace "myns1" the interface "veth1" (10.1.1.3) in the global namespace act as a gateway interface.

f)
Capture the Packets flowing through the interface "veth0" in the global namespace (VirtualBox VM).

#sudo tshark -i veth0 icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x332a, seq=1/256, ttl=64
2   0.108696 173.194.127.147 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x332a, seq=1/256, ttl=61 (request in 1)

* See request and reply packets are flowing through "veth0" interface.
* Packets should flow through this interface "veth0" in the namespace "myns1" to reach the gateway interface "veth1" in the global namespace, since "veth0" and "veth1" are veth pairs. 

g)
Capture the Packets flowing through the interface "eth0" in the global namespace (VirtualBox VM).

#sudo tshark -i eth0 icmp
1   0.000000    10.0.2.15 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x332a, seq=1/256, ttl=63
2   0.108550 173.194.127.147 -> 10.0.2.15    ICMP 98 Echo (ping) reply    id=0x332a, seq=1/256, ttl=62 (request in 1)

* See request and reply packets are flowing through "eth0" interface.
* Note source IP address of the packet is changed here from 10.1.1.2 to 10.0.2.15 by our custom MASQUERADE target rule in the POSTROUTING chain of the NAT table. This conversion is required because the network of the interface is 10.0.2.x and source IP of the packet is 10.1.1.2 and reply packet will not pass through this interface because in reply packet destination IP addess will be the source IP address of the request Packet.

h)
Capture the Packets flowing through the interface "wlan0" in the Host Machine (My laptop).

#sudo tshark -i wlan0 icmp
1   0.000000 192.168.0.131 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x332a, seq=1/256, ttl=62
2   0.106184 173.194.127.147 -> 192.168.0.131 ICMP 98 Echo (ping) reply    id=0x332a, seq=1/256, ttl=53 (request in 1)

* See request and reply packets are flowing through "wlan0" interface.
* Note: Source IP address of the request packet is again changed from 10.0.2.15 to 192.168.0.131. This NAT is done by the VIrtualBox and we can't see that NAT rule.

i)
Routing table from namespace "myns1"
#sudo ip netns exec myns1 route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.1.3        0.0.0.0         UG    0      0        0 veth1
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth1

j)
Routing table from global namespace
#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.2.2        0.0.0.0         UG    0      0        0 eth0
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 veth0
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

11,f)
Delete the MASQUERADE target rule in the POSTROUTING chain of the NAT table for the interface "eth0" (in the VirtualBox VM) and add SNAT target rule in the POSTROUTING chain of the NAT table and test the ping again from the namespace "myns1" to 173.194.127.147 (www.google.com)


a)
Delete MASQUERADE target rule in the POSTROUTING chain of the NAT table

#sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

b)
Check rules in the POSTROUTING chain of the NAT table in the VirtualBox VM

#sudo iptables -t nat -L POSTROUTING -nv

c)
Add SNAT target rule in the POSTROUTING chain of the NAT table for the interface "eth0" (in VirtualBox VM).

#sudo iptables -t nat -A POSTROUTING -p icmp --dst 173.194.127.147 -j SNAT --to-source 10.0.2.15

* See, here I specified "-p icmp" so we can test only ping. We can change it to "-p tcp" to allow tcp protocol or remove it to allow all protocols

d)
Check rules in the POSTROUTING chain of the NAT table in the VirtualBox VM

#sudo iptables -t nat -L POSTROUTING -nv
Chain POSTROUTING (policy ACCEPT 1 packets, 328 bytes)
pkts bytes target     prot opt in     out     source               destination 
1    84 SNAT       icmp --  *      *       0.0.0.0/0            173.194.127.147      to:10.0.2.15

e)
Lsit all Tables and its chains and rules in the VirtualBox VM

#sudo iptables-save
# Generated by iptables-save v1.4.21 on Tue Jul 22 01:10:34 2014
*raw
:PREROUTING ACCEPT [171973:15026995]
:OUTPUT ACCEPT [128875:25991146]
COMMIT
# Completed on Tue Jul 22 01:10:34 2014
# Generated by iptables-save v1.4.21 on Tue Jul 22 01:10:34 2014
*nat
:PREROUTING ACCEPT [2:660]
:INPUT ACCEPT [1:576]
:OUTPUT ACCEPT [1:328]
:POSTROUTING ACCEPT [1:328]
-A PREROUTING -j LOG
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -d 173.194.127.147/32 -p icmp -j SNAT --to-source 10.0.2.15
COMMIT
# Completed on Tue Jul 22 01:10:34 2014
# Generated by iptables-save v1.4.21 on Tue Jul 22 01:10:34 2014
*mangle
:PREROUTING ACCEPT [193485:16689911]
:INPUT ACCEPT [158616:13775245]
:FORWARD ACCEPT [34861:2913076]
:OUTPUT ACCEPT [145297:30083538]
:POSTROUTING ACCEPT [180927:33061426]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Jul 22 01:10:34 2014
# Generated by iptables-save v1.4.21 on Tue Jul 22 01:10:34 2014
*filter
:INPUT ACCEPT [158618:13775349]
:FORWARD ACCEPT [34861:2913076]
:OUTPUT ACCEPT [145290:30083718]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Tue Jul 22 01:10:34 2014

f)
Ping to 173.194.127.147 (www.google.com) from the namespace "myns1" in the VirtualBox VM.

#sudo ip netns exec myns1 ping 173.194.127.147
PING 173.194.127.147 (173.194.127.147) 56(84) bytes of data.
64 bytes from 173.194.127.147: icmp_seq=1 ttl=61 time=96.2 ms
64 bytes from 173.194.127.147: icmp_seq=2 ttl=61 time=102 ms

* Ping works here

g)
Capture the Packets flowing through the interface "veth0" in the global namespace (VirtualBox VM).

#sudo tshark -i veth0 icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x3e3d, seq=1/256, ttl=64
1   2   0.096169 173.194.127.147 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x3e3d, seq=1/256, ttl=61 (request in 1)

* See request and reply packets are flowing through "veth0" interface.

h)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1 icmp
1   0.000000     10.1.1.2 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x3e3d, seq=1/256, ttl=64
2   0.096202 173.194.127.147 -> 10.1.1.2     ICMP 98 Echo (ping) reply    id=0x3e3d, seq=1/256, ttl=61 (request in 1)

* See request and reply packets are flowing through "veth1" interface.

i)
Capture the Packets flowing through the interface "eth0" in the global namespace (VirtualBox VM).

#sudo tshark -i eth0 icmp
1   0.000000    10.0.2.15 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x3e3d, seq=1/256, ttl=63
2   0.096041 173.194.127.147 -> 10.0.2.15    ICMP 98 Echo (ping) reply    id=0x3e3d, seq=1/256, ttl=62 (request in 1)

* See request and reply packets are flowing through "eth0" interface.
* Note source IP address of the packet is changed here from 10.1.1.2 to 10.0.2.15 by our custom SNAT target rule in the POSTROUTING chain of the NAT table. This conversion is required because the network of the interface is 10.0.2.x and source IP of the packet is 10.1.1.2 and reply packet will not pass through this interface because in reply packet destination IP addess will be the source IP address of the request Packet.

j)
Capture the Packets flowing through the interface "wlan0" in the Host Machine (My laptop).

#sudo tshark -i wlan0 icmp
0.000000 192.168.0.131 -> 173.194.127.147 ICMP 98 Echo (ping) request  id=0x3e3d, seq=1/256, ttl=62
0.096050 173.194.127.147 -> 192.168.0.131 ICMP 98 Echo (ping) reply    id=0x3e3d, seq=1/256, ttl=53 (request in 1)

* See request and reply packets are flowing through "wlan0" interface.
* Note: Source IP address of the request packet is again changed from 10.0.2.15 to 192.168.0.131. This NAT is done by the VIrtualBox and we can't see that NAT rule.

12)
Ping to www.google.com from namespace "myns1"
after adding the default gateway
 
#sudo ip netns exec myns1 ping www.google.com
ping: unknown host www.google.com

12,a)
Capture the Packets flowing through the interface "veth1" in the namespace "myns1"

#sudo ip netns exec myns1 tshark -i veth1
icmp
1   0.000000     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
2   5.004542     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
3   5.015108 8e:a6:de:48:bf:a2 -> 52:14:8c:a0:4f:ea ARP 42 Who has 10.1.1.3?  Tell 10.1.1.2
4   5.015479 52:14:8c:a0:4f:ea -> 8e:a6:de:48:bf:a2 ARP 42 10.1.1.3 is at 52:14:8c:a0:4f:ea

* Note: Here packets are flowing from 10.1.1.2 to-> 10.0.2.3
* Here "10.0.2.3" is the IP of VirtualBox DNS server.

* Note, Source IP of the request packet not changed, still it showing original source IP:10.1.1.2. 

12,b)
Capture the Packets flowing through the interface "veth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i veth0
icmp
1   0.000000     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
2   5.004539     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
3   5.015098 8e:a6:de:48:bf:a2 -> 52:14:8c:a0:4f:ea ARP 42 Who has 10.1.1.3?  Tell 10.1.1.2
4   5.015449 52:14:8c:a0:4f:ea -> 8e:a6:de:48:bf:a2 ARP 42 10.1.1.3 is at 52:14:8c:a0:4f:ea

12,c)
Capture the Packets flowing through the interface "eth0" in the global namespace
(VirtualBox VM).
#sudo tshark -i eth0
icmp
1   0.000000     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
2   0.002024 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.1.1.2?  Tell 10.0.2.2
3   5.004501     10.1.1.2 -> 10.0.2.3     DNS 74 Standard query 0xb814  A www.google.com
4   5.008109 RealtekU_12:35:02 -> Broadcast    ARP 60 Who has 10.1.1.2?  Tell 10.0.2.2

13)
Ping to www.google.com from global namespace
in the VirtualBox VM
 

#ping www.google.com
PING www.google.com (173.194.127.242) 56(84) bytes of data.
64 bytes from 173.194.127.242: icmp_seq=1 ttl=63 time=93.6 ms
64 bytes from 173.194.127.242: icmp_seq=2 ttl=63 time=128 ms

* Ping works

13,a)
Capture the Packets flowing through the interface "eth0" in the global namespace (VirtualBox VM).
#sudo tshark -i eth0 icmp

1   0.000000    10.0.2.15 -> 173.194.127.242 ICMP 98 Echo (ping) request  id=0x3fb6, seq=1/256, ttl=64
2   0.093585 173.194.127.242 -> 10.0.2.15    ICMP 98 Echo (ping) reply    id=0x3fb6, seq=1/256, ttl=63 (request in 1)
 

13,b)
Capture the Packets flowing through the interface "wlan0" in the Host Machine (My laptop).
#sudo tshark -i wlan0 icmp

1   0.000000 192.168.0.131 -> 173.194.127.242 ICMP 98 Echo (ping) request  id=0x3fb6, seq=1/256, ttl=63
2   0.092806 173.194.127.242 -> 192.168.0.131 ICMP 98 Echo (ping) reply    id=0x3fb6, seq=1/256, ttl=53 (request in 1)





No comments:

Post a Comment