Chapter 7. introduction to routers

Table of Contents

router or firewall
packet forwarding
packet filtering
stateful
nat (network address translation)
pat (port address translation)
snat (source nat)
masquerading
dnat (destination nat)
port forwarding
/proc/sys/net/ipv4/ip_forward
/etc/sysctl.conf
sysctl
practice: packet forwarding
solution: packet forwarding

What follows is a very brief introduction to using Linux as a router.

router or firewall

A router is a device that connects two networks. A firewall is a device that besides acting as a router, also contains (and implements) rules to determine whether packets are allowed to travel from one network to another. A firewall can be configured to block access based on networks, hosts, protocols and ports. Firewalls can also change the contents of packets while forwarding them.

packet forwarding

Packet forwarding means allowing packets to go from one network to another. When a multihomed host is connected to two different networks, and it allows packets to travel from one network to another through its two network interfaces, it is said to have enabled packet forwarding.

packet filtering

Packet filtering is very similar to packet forwarding, but every packet is individually tested against rules that decide on allowing or dropping the packet. The rules are stored by iptables.

stateful

A stateful firewall is an advancement over stateless firewalls that inspect every individual packet. A stateful firewall will keep a table of active connections, and is knowledgeable enough to recognise when new connections are part of an active session. Linux iptables is a stateful firewall.

nat (network address translation)

A nat device is a router that is also changing the source and/or target ip-address in packets. It is typically used to connect multiple computers in a private address range (rfc 1918) with the (public) internet. A nat can hide private addresses from the internet.

It is important to understand that people and vendors do not always use the right term when referring to a certain type of nat. Be sure you talk about the same thing. We can distuinguish several types of nat.

pat (port address translation)

nat often includes pat. A pat device is a router that is also changing the source and/or target tcp/udp port in packets. pat is Cisco terminology and is used by snat, dnat, masquerading and port forwarding in Linux. RFC 3022 calls it NAPT and defines the nat/pat combo as "traditional nat". A device sold to you as a nat-device will probably do nat and pat.

snat (source nat)

A snat device is changing the source ip-address when a packet passes our nat. snat configuration with iptables includes a fixed target source address.

masquerading

Masquerading is a form of snat that will hide the (private) source ip-addresses of your private network using a public ip-address. Masquerading is common on dynamic internet interfaces (broadband modem/routers). Masquerade configuration with iptables uses a dynamic target source address.

dnat (destination nat)

A dnat device is changing the destination ip-address when a packet passes our nat.

port forwarding

When static dnat is set up in a way that allows outside connections to enter our private network, then we call it port forwarding.

/proc/sys/net/ipv4/ip_forward

Whether a host is forwarding packets is defined in /proc/sys/net/ipv4/ip_forward. The following screenshot shows how to enable packet forwarding on Linux.

root@router~# echo 1 > /proc/sys/net/ipv4/ip_forward
	

The next command shows how to disable packet forwarding.

root@router~# echo 0 > /proc/sys/net/ipv4/ip_forward
	

Use cat to check if packet forwarding is enabled.

root@router~# cat /proc/sys/net/ipv4/ip_forward
	

/etc/sysctl.conf

By default, most Linux computers are not configured for automatic packet forwarding. To enable packet forwarding whenever the system starts, change the net.ipv4.ip_forward variable in /etc/sysctl.conf to the value 1.

root@router~# grep ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 0

sysctl

For more information, take a look at the man page of sysctl.

root@debian6~# man sysctl
root@debian6~# sysctl -a 2>/dev/null | grep ip_forward
net.ipv4.ip_forward = 0

practice: packet forwarding

0. You have the option to select (or create) an internal network when adding a network card in VirtualBox or VMWare. Use this option to create two internal networks. I named them leftnet and rightnet, but you can choose any other name.

1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both get an ip-address in the correct subnet. These two machines will be 'left' and 'right' from the 'router'.

2. Set up a third Linux computer with three network cards, one on leftnet, the other on rightnet. This computer will be the 'router'. Complete the table below with the relevant names, ip-addresses and mac-addresses.

Table 7.1. Packet Forwarding Exercise

 leftnet computerthe routerrightnet computer
MAC    
IP    

3. How can you verify whether the router will allow packet forwarding by default or not ? Test that you can ping from the router to the two other machines, and from those two machines to the router. Use arp -a to make sure you are connected with the correct mac addresses.

4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet forwarding on the router and verify what happens to the ping between the two networks. If you do not succeed in pinging between the two networks (on different subnets), then use a sniffer like wireshark or tcpdump to discover the problem.

5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC change when a packet passes through the filter ? And the destination MAC ? What about source and destination IP-addresses ?

6. Remember the third network card on the router ? Connect this card to a LAN with internet connection. On many LAN's the command dhclient eth0 just works (replace eth0 with the correct interface).

root@router~# dhclient eth0

You now have a setup similar to this picture. What needs to be done to give internet access to leftnet and rightnet.

solution: packet forwarding

1. Set up two Linux machines, one on leftnet, the other on rightnet. Make sure they both get an ip-address in the correct subnet. These two machines will be 'left' and 'right' from the 'router'.

The ip configuration on your computers should be similar to the following two screenshots. Both machines must be in a different subnet (here 192.168.60.0/24 and 192.168.70.0/24). I created a little script on both machines to configure the interfaces.

root@left~# cat leftnet.sh
pkill dhclient
ifconfig eth0 192.168.60.8 netmask 255.255.255.0
root@right~# cat rightnet.sh
pkill dhclient
ifconfig eth0 192.168.70.9 netmask 255.255.255.0

2. Set up a third Linux computer with three network cards, one on leftnet, the other on rightnet. This computer will be the 'router'. Complete the table below with the relevant names, ip-addresses and mac-addresses.

root@router~# cat router.sh
ifconfig eth1 192.168.60.1 netmask 255.255.255.0
ifconfig eth2 192.168.70.1 netmask 255.255.255.0
#echo 1 > /proc/sys/net/ipv4/ip_forward

Your setup may use different ip and mac addresses than the ones in the table below.

Table 7.2. Packet Forwarding Solution

leftnet computerthe routerrightnet computer
08:00:27:f6:ab:b908:00:27:43:1f:5a08:00:27:be:4a:6b08:00:27:14:8b:17
192.168.60.8192.168.60.1192.168.70.1192.168.70.9

3. How can you verify whether the router will allow packet forwarding by default or not ? Test that you can ping from the router to the two other machines, and from those two machines to the router. Use arp -a to make sure you are connected with the correct mac addresses.

This can be done with "grep ip_forward /etc/sysctl.conf" (1 is enabled, 0 is disabled) or with sysctl -a | grep ip_for.

root@router~# grep ip_for /etc/sysctl.conf 
net.ipv4.ip_forward = 0

4. Ping from the leftnet computer to the rightnet computer. Enable and/or disable packet forwarding on the router and verify what happens to the ping between the two networks. If you do not succeed in pinging between the two networks (on different subnets), then use a sniffer like wireshark or tcpdump to discover the problem.

Did you forget to add a default gateway to the LAN machines ? Use route add default gw 'ip-address'.

root@left~# route add default gw 192.168.60.1
root@right~# route add default gw 192.168.70.1

You should be able to ping when packet forwarding is enabled (and both default gateways are properly configured). The ping will not work when packet forwarding is disabled or when gateways are not configured correctly.

5. Use wireshark or tcpdump -xx to answer the following questions. Does the source MAC change when a packet passes through the filter ? And the destination MAC ? What about source and destination IP-addresses ?

Both MAC addresses are changed when passing the router. Use tcpdump -xx like this:

root@router~# tcpdump -xx -i eth1
root@router~# tcpdump -xx -i eth2

6. Remember the third network card on the router ? Connect this card to a LAN with internet connection. On many LAN's the command dhclient eth0 just works (replace eth0 with the correct interface.

root@router~# dhclient eth0

You now have a setup similar to this picture. What needs to be done to give internet access to leftnet and rightnet.

The clients on leftnet and rightnet need a working dns server. We use one of Google's dns servers here.

echo nameserver 8.8.8.8 > /etc/resolv.conf