Test Networking Lab Ubuntu On 16.04

Test Networking Lab Ubuntu on 16.04

Overview

I wanted to create a test networking lab Ubuntu on 16.04 for trying out configurations without having to hack my real LAN about. I decided to use VirtualBox virtual machines as they are freely available and work with Linux and you can also use MS Windows guests. The network in the test networking lab Ubuntu on 16.04 will need to separate from our own normal LAN. VirtualBox provides this out of the box. We simply set the network interfaces to us “Internal Network”. This way only VM’s on the host can see each other.

The test networking lab Ubuntu on 16.04 will need a router to connect to the outside networks in the same way as you have an ADSL modem/router to connect to the internet. You will also need some servers and desktops that you will be experimenting with. Form the point of view of our our test networking lab Ubuntu on 16.04, our real LAN will be the internet.

Network Topology for the lab

A quick pictorial overview of the test networking lab Ubuntu on 16.04.

Test Networking Lab Ubuntu on 16.04

Networking within the test lab

We need to create the machines we will be using in the test networking lab Ubuntu on 16.04. All the test machines I use are an Ubuntu 16.04 Minimal Server Installation. I always add openssh-server so I can access the new machine via a terminal and therefore copy paste while I’m setting it up. It also allows for a larger terminal rather than the default 80×23 🙂 In fact, I have a PXE boot server and presed configurations setup to create these installations. It takes 7-12 minutes to do the automated install. Just long enough to make a coffee.

VirtualBox settings for lab-router1

The settings needed for the Virtualbox guest for lab-router1 are not much different than for a machine running on your LAN. The only difference will be the networking. We will need two NIC’s and external, which connects to our real LAN and an internal which connects to all of the machines in the test lab. The eth0 in the configurations below are from the host machine. It does get a little confusing.

Virtualbox settings for the external NIC

router-eth0

Virtualbox settings for the internal NIC

router-eth1

lab-router1 will be an Ubuntu 16.04 Minimal Server Installation. I tend to add openssh-server so I can access the new machine via a terminal and therefore copy paste while I’m setting it up. It also allows for a larger terminal rather than the default 80×23 🙂

The Lab Router

So you have you minimal Ubuntu 16.04 server installation. The lab router will require two network cards to be configured. The first will be automatically setup when you install the server edition of Ubuntu. In my case it was called enp0s3. This uses the new naming convention taken in part from the position of the NIC on the pci bus using biosdevname.

lab-router1 network configuration

Now to setup the initial network interface configuration for lab-router1 The address is any IP address on your real LAN that is external to your test networking lab Ubuntu on 16.04.

The gateway for this NIC will most probably be your real LAN gateway as are the DNS addresses setup on this interface.

Using the older NIC naming schema second NIC would to be called eth1. With the new naming scheme for NIC, we need to find out where on the pci bus it is sitting. To find the name the system has decided to call eth1 we can use

dmesg | grep eth
[    1.515269] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:01:02:03:04:05
[    1.515276] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[    1.941639] e1000 0000:00:08.0 eth1: (PCI:33MHz:32-bit) 08:01:02:03:04:06
[    1.941649] e1000 0000:00:08.0 eth1: Intel(R) PRO/1000 Network Connection
[    1.944338] e1000 0000:00:03.0 enp0s3: renamed from eth0
[    1.960369] e1000 0000:00:08.0 enp0s8: renamed from eth1

You can see from the output above that the two interfaces on my virtual machine are now renamed to enp0s3 and enp0s8. On real hardware the names will be different, I get en01 on a MSI motherboard.

External NIC

Name enp0s3
IP Address 192.168.0.4
Netmask 255.255.255.0
Gateway 192.168.0.1
DNS server 192.168.0.9 <= This is the DNS on your LAN

Internal NIC

Name enp0s8
IP Address 10.1.200.1
Netmask 255.255.255.0

This information can be used to update the interface file to configure the network.

sudo nano /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
   address 192.168.0.4
   netmask 255.255.255.0
   gateway 192.168.0.1
   dns-nameservers 192.168.0.9
   dns-search dragon.lab 
#   pre-up iptables-restore < /etc/iptables.rules

auto enp0s8
iface enp0s8 inet static
   address 10.1.200.1
   netmask 255.255.255.0

After restarting the network or rebooting you should see something like this.

sudo ifdown enp0s3 ; sudo ifup enp0s3
ifconfig
enp0s3    Link encap:Ethernet  HWaddr 08:01:02:03:04:05  
          inet addr:192.168.0.4  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fea3:24c6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37 errors:0 dropped:0 overruns:0 frame:0
          TX packets:37 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6541 (6.5 KB)  TX bytes:6111 (6.1 KB)

enp0s8    Link encap:Ethernet  HWaddr 08:01:02:03:04:06  
          inet addr:10.1.200.1  Bcast:10.1.200.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:feb0:35ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:578 (578.0 B)

Dnsmasq on lab-router1

You will want to install some form of DNS and DHCP server on to the lab router unless you plan on having one somewhere else within your own test networking lab Ubuntu on 16.04. See my post for setting up dnsmasq. HOWTO Setup Dnsmasq as a DNS and DHCP server/. You can easily turn on and off the DHCP for Dnsmasq by commenting out the dhcp-range options in the configuration file and restarting the daemon.

Here is a quick config file for Dnsmasq. I posted this quickly I'll try and test it over the next weekend.

The Desktop and Server Machines

These machines areused to simulate a workstation or desktop computer inside the lab. They will not communicate directly with the local LAN only other lab machines and lab-router1. They can also be installing outside of the lab environment and then the network changed as follows:

VirtualBox Network Settings

desktop-eth0

This machine only needs one NIC and it is on the Virtualbox Internal Nertwork with a name of lab1. Which is the same internal network you used for lab-router1. See below for an example of a network configuration using a dynamic IP address. The commented out config is for a static IP address and assumes lab-router1 is the DNS server in the test networking lab Ubuntu on 16.04.

lab-desktop1

sudo nano /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# If you have setup a DHCP server inside the lab,
# comment static configuration and uncomment this block.
auto enp0s3
iface enp0s3 inet dhcp
   hostname lab-desktop1

#auto enp0s3
#iface enp0s3 inet static
#   address 10.1.200.10
#   gateway 10.1.200.1
#   netmask 255.255.255.0
#   dns-nameservers 10.1.200.1
#   dns-search dragon.lab 

Do not forget to change the VirtualBox settings on the network card to Internal Networking, and when you start this machine up again you should be able to dig or ping sites inside your test lab. You will not be able to access anything outside of the test lab.

The Firewall on lab-router1

This is the part that makes your test lab usable. Lets start with a little script to turn off all rules for iptables. You may think that is a strange thing to start with reason why I do it this way round is if when we make a mistake or a typo with the IPTABLE rules we have an easy way to turn off the firewall 🙂

sudo nano /root/bin/fw.stop
#!/bin/bash

echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Change the permissions so only root can execute it or in fact see the file.

sudo chmod 700 /root/bin/fw.stop
sudo chown root:root /root/bin/fw.stop

Now any time we need to remove all the rules you have added to iptable we can simply simply execute the script after logging in at the console, i.e. the VirtualBox window.

sudo /root/bin/fw.stop

Since the lab machines will need to talk to the outside world, and the internet, we will need to turn on port forwarding. This is done by configuring iptables/sysctrl to allow port forwarding. To turn this on we have some choices, to do it until the new reboot use the following.

sudo echo "1" > /proc/sys/net/ipv4/ip_forward

You can use sysctl to perform the same function but this will, also, not survive through a reboot.

sudo sysctl net.ipv4.ip_forward=1

Or you can edit the .conf file as shown below which will continue to work over a reboot.

sudo nano /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

We need to add three rules one for the loopback interface and the other two for the external interface, enp0s3, so that packets get SNATed to the outside and we can accept returning packets to established connections and anything on the local loopback interface.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 192.168.0.4

With this rule connections from the lab will reach the internet and should work. 🙂

sudo su -c 'iptables-save > /etc/iptables.rules'

It should look something like this:

# Generated by iptables-save v1.6.0 on Sun Jun 12 10:16:44 2016
*mangle
:PREROUTING ACCEPT [116:8000]
:INPUT ACCEPT [116:8000]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [71:18052]
:POSTROUTING ACCEPT [71:18052]
COMMIT
# Completed on Sun Jun 12 10:16:44 2016
# Generated by iptables-save v1.6.0 on Sun Jun 12 10:16:44 2016
*filter
:INPUT ACCEPT [2:64]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [36:11536]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Jun 12 10:16:44 2016
# Generated by iptables-save v1.6.0 on Sun Jun 12 10:16:44 2016
*nat
:PREROUTING ACCEPT [0:0]We will a
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp0s3 -j SNAT --to-source 192.168.0.20
COMMIT
# Completed on Sun Jun 12 10:16:44 2016

These rules will not survive a reboot though. You may have been wondering what the commented out line in the /etc/network/interfaces file was all about. Uncomment it and either restart networking or reboot your lab-router1. As networking is brought up the IPTABLE rules with be loaded from the saved file.

The above, iptables-save, should be done whenever you want to update the rules loaded at boot time. That is, try out the new rules from the command line. When you are happy with them save them to the /etc/iptables.rules file.

At this point we sholud be able to ping or dig sites like bbc.co.uk or cnn.com and machines on your own local LAN remember to use the fully qualified names for your LAN. As these are considered part of the internet when looking from within our test networking lab Ubuntu on 16.04. You should also be able to ssh to lab-router1.

The network is totally open. All ports are open and no connections are being forwarded to any servers such as mail or web servers.

Lock Down All the Ports

I find that once I get to this stage I want to be able to add and change the IPTABLE rules so I put them into a script. This is because the order of the rules is significant. Lets create a file called fw.rules_common.

#!/bin/bash
#
# If you change this file and want them to be used when the machine reboots 
# remember to rebuild the default rules loaded when the network comes up,
# /etc/iptables.rules
# Use the command below after testing to regenerate that file:
# iptables-save > /etc/iptables.rules
#
#
echo "Enable rules to block stuff"

# Allow all connections to lo (loopback)
# ======================================
iptables -A INPUT -i lo -j ACCEPT

# Allow replies to established connections
# ========================================
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Sort out NATing for lab machines
# ================================
iptables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 192.168.0.20

# REJECT any remaining packects
# ===========================
# This must be LAST, it blocks all remaining new INPUTs on enp0s3
iptables -A INPUT -i enp0s3 -j REJECT

# OR set the default action for INPUT to be DROP
# This has the same effect but I found it to be slower when accepting
# connections. This rule can go anywhere, first or last
#iptables -P INPUT DROP

Remember to change the permissions as we did above for the fw.stop script.

If you run bin/fw.stop and then this script it will first remove all the rules and then put the new ones back ready for testing. at the end of this post is full listing with may examples you can build on.

The script above has a new list at the end. That is the rule which turns off all the ports. I REJECT them you can also DROP them. There are many many posts advocating both methods. You can read up on that and then choose which way to go. Both REJECT and DROP have the same effect they block or turn off the post. So at this point it does not really matter.

Run the two commands from within the console or VirtualBox window and you should see that you can no longer ssh from your LAN.

bin/fw.stop
bin/fw.rules_common

We will run these two commands each time we add rules to the firewall. It we just add the rules from the command line they will end up in the wrong order. Try it and see 🙂

Simple Port Forwarding from the lab-router

In this example of simple port forwarding we will be using ssh to show how to forward ports and to forward and changes ports as they are forwarded. We want to access both lab-router1 and lab-server1 with ssh from our LAN. Since one port can only be redirected/forwarded once we will need to use a different port number along with the usual port 22 for ssh.

Lets say we want to access lab-router1 using port 2222 and use the standard port 22 connection for lab-server1.

We need to open posts 22 and 2222 in our firewall but only when being accessed from our LAN.

iptables -A INPUT -i enp0s3 -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i enp0s3 -s 192.168.0.0/24 -p tcp --dport 2222 -j ACCEPT

Now we need to forward port 22 to lab-server1, 10.1.200.10. We also wanted to use port 222 to access port 22 on lab-router1. Here are the rules.

# Only allow ssh via 2222 externally to lab-router1
iptables -t nat -A PREROUTING -p tcp --dport 2222 -i enp0s3 -j DNAT --to 192.168.0.20:22
# forward port 22 (ssh) conections to lab-server1
iptables -t nat -A PREROUTING -p tcp --dport 22 -i enp0s3 -j DNAT --to 10.1.200.10:22

Run the stop and rules commands again to check that out. From a machine on your LAN you should be able to ssh to lab-server1 with:

ssh -p 2222 username@lab-router1

This command should take you to lab-server1 even though you specify on the command line lab-router1. remember the pot forwarding for port 22.

ssh username@lab-router1

To make sure the rules survive a reboot save them to a file as we did above and they will be loaded when enp0s3 is brought up.

sudo su -c 'iptables-save > /etc/iptables.rules'

You can add additional rules for say, 80 & 443, (HTTP & HTTPS) and they could be forwarded a lab-webserver.

Bandwidth Monitoring Tool

I like to install this little command line tool to see the two NIC's working away on the router.

sudo apt-get install bwm-ng

Then just run it with bwm-ng on the command line. You will work it out. 🙂

Now you have a very basic lab-router1 setup and ready for you to start playing around with networks and remote access.

Useful Links

Netfilter, Using iptables
Netfilter, Source NAT
Ubuntu iptables Howto

Script to Set Basic Firewall Configuration

This script has examples for other IPTABLE rules you might like you use as a basis for your own.

#!/bin/bash
#
# If you change this file and want them to be used when the machine reboots 
# remember to rebuild the default rules loaded when the network comes up,
# /etc/iptables.rules
# Use the command below after testing to regenerate that file:
# iptables-save > /etc/iptables.rules
#
#
echo "Enable rules to block stuff"

# Allow all connections to lo (loopback)
# ======================================
iptables -A INPUT -i lo -j ACCEPT

# Allow replies to established connections
# ========================================
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT


# Sort out NATing for lab machines
# ================================
iptables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 192.168.0.20


# Try and stop DoS attacks
# ========================
#    -m limit: This uses the limit iptables extension
#    --limit 25/minute: This limits maximum of 25 connection per minute.
#    --limit-burst 50:  This value indicates that the limit/minute will be
#                       enforced only after the total number of connection
#                       have reached the limit-burst level.
#iptables -A INPUT -i enp0s3 -p tcp -m multiport \
#        --dports 21,22,25,110,143,587,993,995 -m state --state NEW -m limit \
#        --limit 4/minute --limit-burst 5 -j ACCEPT
#iptables -A INPUT -i enp0s3 -p tcp -m multiport --dports 80,443,8080 -m state \
#         --state NEW -m limit --limit 25/minute --limit-burst 50 -j ACCEPT


# Block connections from known spammers
# =====================================
# Block one IP address or range as CIDR
# iptables -A INPUT -s 11.22.33.44 -j REJECT
# or even a range
# iptables -I INPUT -m iprange --src-range 1.2.3.4-1.2.255.255 -j REJECT
# or range as CIDR
# iptables -I INPUT -m iprange --src-range 1.2.3.4/16 -j REJECT


# Allow a bunch of ports & services through
# =========================================
# web server
#iptables -A INPUT -i enp0s3 -p tcp -m multiport --dports 80,443,8080 -j ACCEPT
# mail server
#iptables -A INPUT -i enp0s3 -p tcp -m multiport --dports 25,110,143,587,993,995 \
#        -j ACCEPT
# ssh from my LAN only
iptables -A INPUT -i enp0s3 -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i enp0s3 -s 192.168.0.0/24 -p tcp --dport 2222 -j ACCEPT
# To allow a range of ports for say proftp 49152-49200
#iptables -A INPUT -i enp0s3 -p tcp --dport 49152:49200 -j ACCEPT
# Remote Desktop Connections
#iptables -A INPUT -i enp0s3 -p tcp --dport 3389 -j ACCEPT

# Port forwarding
# ===============
# Only allow ssh via 2222 externally to lab-router1
iptables -t nat -A PREROUTING -p tcp --dport 2222 -i enp0s3 -j DNAT \
         --to 192.168.0.20:22
# forward port 22 (ssh) conections to lab-server1
iptables -t nat -A PREROUTING -p tcp --dport 22 -i enp0s3 -j DNAT \
          --to 10.1.200.10:22
 
# To forward a bunch of ports to the same same server and port you could 
# try, e.g. a mail and web server might need 
iptables -t nat -A PREROUTING -p tcp -m multiport \
         --dports 80,443,25,110,143,589,993,995 -i enp0s3 \
         -j DNAT --to 10.1.200.11
 
# To get the same thing with single ports per line
#iptables -t nat -A PREROUTING -p tcp --dport  80 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:80
#iptables -t nat -A PREROUTING -p tcp --dport 443 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:443
#iptables -t nat -A PREROUTING -p tcp --dport  25 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:25
#iptables -t nat -A PREROUTING -p tcp --dport 110 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:110
#iptables -t nat -A PREROUTING -p tcp --dport 143 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:143
#iptables -t nat -A PREROUTING -p tcp --dport 587 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:587
#iptables -t nat -A PREROUTING -p tcp --dport 993 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:993
#iptables -t nat -A PREROUTING -p tcp --dport 995 -i enp0s3 -j DNAT \
#         --to 10.1.200.10:995
 
# You could even do the above like this, assuming they all go to the same host
# it is less typing and easier to debug
#for p in 80 443 25 110 143 587 993 995
#do
#   iptables -t nat -A PREROUTING -p tcp --dport $p -i enp0s3 -j DNAT 
#            --to 10.1.200.10:$p
#done
 
# To forward a range of ports, to the same port on another machine.
#iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 64000:65000 -j DNAT \
#         --to 10.1.200.10
# The same thing but to a different range. 
#iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 64000:65000 -j DNAT \
#         --to 10.1.200.10:44000:45000


# PING
# ====
# Allows pings from one specific machine and anywhere within the lab network,
# reject from everywhere else
#iptables -A INPUT -s 192.168.0.9 -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -s 10.1.200.0/24 -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT


# OpenVPN
# =======
# open the VPN port
#iptables -A INPUT -i enp0s3 -p udp --dport 1194 -j ACCEPT
# Forward OpenVPN connections to lab-addc1
#iptables -t nat -A PREROUTING -p udp --dport 1194 -i enp0s3 -j DNAT \
#         --to 10.1.200.3:1194


# Logging DROPed packets
# ==========================
#iptables -N LOGGING
#iptables -A INPUT -j LOGGING
#iptables -A LOGGING -m limit --limit 2/min -j LOG \
#         --log-prefix "IPTables Packet Dropped: " --log-level 7


# REJECT any remaining packets
# ===========================
# This must be LAST, it blocks all remaining new INPUTs on enp0s3
iptables -A INPUT -i enp0s3 -j REJECT

# OR set the default action for INPUT to be DROP
# This has the same effect but is slower when accepting
# connections. This rule can go anywhere, first or last
#iptables -P INPUT DROP

To have a script to turn on all dnsmasq DNS and DHCP functions you could use:

# ==========================
# Turn on dhcp
# ==========================
echo "Turn on the DHCP server in dnsmasq"
sed -e 's/^#\(dhcp-range=10.1.200.150.*\)/\1/' -i /etc/dnsmasq.conf
service dnsmasq restart

To turn off dnsmasq DNS functions you could use:

# ==========================
# Turn on dhcp
# ==========================
echo "Turn on the DHCP server in dnsmasq"
sed -e 's/^\(dhcp-range=10.1.200.150.*\)/#\1/' -i /etc/dnsmasq.conf
service dnsmasq restart

To stop dnsmasq simply stop the service

sudo service dnsmasq stop

6 thoughts on “Test Networking Lab Ubuntu On 16.04

  1. Dennis Loyer

    Good morning!
    I’m trying to follow your test lab setup wherein you create lab-router1, lab-server1, and lab-desktop1. I intend to setup lab-router1 as a DNS and DHCP using dnsmasq, per your tutorial on doing just that. I intend to setup lab-server1 as SAMBA AD DC for grins-n-giggles, and I have a few clarification questions.

    In your test lab, you have a local network with ip’s in the 10.1.200.* range.

    However, in your dnsmasq tutorial, you use local network IP’s in the 192.168.0.* range.

    So i’m getting a little confused making the transition…

    In the dnsmaq tutorial, under the section on editing the /etc/dnsmasq.conf, you have some setting that need to be changed to point to the 10.1.200.* range in order to work for your test lab.

    Specifically:

    server=/example.com/192.168.0.5

    should this point to lab-router1, or lab-server1 (10.1.200.1 or 10.1.200.2)? And should the “/example.com/” section be changed to whatever domain I’m using for my test lab setup? i.e for my test lab, it would be “/lan.myprydain.com/”. the intention here is that myprydain.com is the “exposed to the world” domain, and lan.myprydain.com is an internal-lan-only sub-domain. My DNS will resolve all lan.myprydain.com requests, and pass on any other requests, including myprydain.com (no sub-domain) to a publid dns, such as 8.8.8.8

    local=/example.com/

    again, should it be set to /lan.mypryrdain.com/?

    dhcp-range=192.168.0.20,192.168.0.50,72h

    change this to 10.1.200.20,10.1.200.50,72h to assign that range to clients requesting an ip from the dhcp server?

    dhcp-range=tftp,192.168.0.250,192.168.0.254

    same-same…20.1.200.250,20.1.200.254?

    dhcp-option=option:router,192.168.0.1 <– 20.1.200.1?

    dhcp-option=option:ntp-server,192.168.0.5 <– ah, here's an intersting one. Point to ntp-server on the local network, right? So if I decide to run that on lab-router1, pont to 20.1.200.1, if on lab-server1, point to 20.1.200.2?

    dhcp-option=19,0 # ip-forwarding off
    dhcp-option=44,192.168.0.5 # set netbios-over-TCP/IP aka WINS
    dhcp-option=45,192.168.0.5 # netbios datagram distribution server
    dhcp-option=46,8 # netbios node type

    what do these do, and which machine should they point to? lab-router1? or lab-server1?

    Thanks,
    Dennis

    Reply
    1. Richard Post author

      I only use dnsmasq on lab-router1 when I do not have a full DNS and DHCP running. That also means lab-router1 will have NTP running as well as a server for the lab network. I didn’t go in to that as the post was already really long.

      I have updated the post with a simple dnsmasq.conf file that will work. See the section “Dnsmasq on lab-router1”

      Running though your questions:

      server=/example.com/192.168.0.5
      This should point to any DNS you have on your real LAN assuming the domain is called example.com.

      local=/example.com/
      Yes that is right. Change example.com to lan.mypryrdain.com if the FQDN for lab-router1 will be lab-router1.lan.mypryrdain.com

      dhcp-range=192.168.0.20,192.168.0.50,72h
      You got that one spot on. You can of course, change the two IP addresses to change the range.

      dhcp-range=tftp,192.168.0.250,192.168.0.254
      This one is only needed if you are running a PXE server inside your lab. Then just point this to the IP of the FTP server within your lab. It can be commented out unless you have a PXE boot server.

      dhcp-option=option:router,192.168.0.1 <-- 20.1.200.1? This one points to the gateway IP. The external IP for lab-router1.
      dhcp-option=option:ntp-server,192.168.0.5
      You got this one right too. Just point it to the NTP server on your LAN if you have one or if you have one in the lab network use the IP address for that. If passed the NTP server IP to DHCP clients.

      dhcp-option=19,0 # ip-forwarding off
      This should be commented out. You will probably want to forward ports.

      dhcp-option=44,192.168.0.5 # set netbios-over-TCP/IP aka WINS
      dhcp-option=45,192.168.0.5 # netbios datagram distribution server
      dhcp-option=46,8 # netbios node type
      These are just left overs from Windows XP they can all be left commented out. They are old MS settings that are not used from Server 2008 & Win7 onwards I believe. Again they are passed to these to DHCP clients.

      Reply
  2. Neil

    When setting up the initial router, you say to use the command “sudo nano /etc/network/interface”, but there should be a “s” at the end of interface, as correctly stated in the desktop portion of your setup. Very good tutorial, just a simple typo when copy/pasting into an SSH terminal.

    Second typo: When attempting to restart the router NICs after the router setup, you have enps03 but it should be enp0s3. “sudo ifdown enps03 ; sudo ifup enps03; ifconfig”

    Reply
    1. Richard Post author

      Neil, You spotted my deliberate mistakes. *grin*. Thanks for letting me know, I have updated the post.

      Reply
  3. Mostafa

    Hello Richard,

    thank you so much sharing your experience in networking lab.

    In case of lab-router1 I would enable SSH access from anywhere as following:
    – enable SSH access via port 22 from local network on interface enp0s8 (eth1 in my case)
    – enable SSH access via port 2222 from external network on interface enp0s3 (eth0 in my case)

    This should be done using script below, but not working.
    Any idea to solve such trivial requirement?

    #!/bin/bash

    EXT_ROUTER_IP=192.168.178.2
    INT_ROUTER_IP=192.168.177.2

    # set source of outgoing packets to the one from lap-router1
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to-source $EXT_ROUTER_IP

    # allow connections to port 22 only from internal network
    iptables -A INPUT -i eth1 -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

    # allow connections to port 2222 from external network
    iptables -A INPUT -i eth0 -p tcp –dport 2222 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

    # forward port 2222 to port 22
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 2222 -j DNAT –to-destination $INT_ROUTER_IP:22

    # forward requesting port 22 from external to internal interface
    iptables -A FORWARD -i eth0 -o eth1 -p tcp –dport 22 -j ACCEPT

    # allow established and related connections
    iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

    # Drop any other connections
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    iptables -A OUTPUT -j DROP

    Reply
  4. Mostafa

    Hello Richard,

    after analyzing trace log of IPTABLES I found the solution working as following:

    #!/bin/bash

    # External network
    EXT_ROUTER_IP=192.168.178.2
    EXT_SSH_PORT=2222

    # Internal network
    INT_ROUTER_IP=192.168.177.2

    # Set default policies
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # Forward incoming SSH connections from external port to internal port
    iptables -t nat -A PREROUTING -i eth0 -p tcp –dport $EXT_SSH_PORT -j DNAT –to-destination $INT_ROUTER_IP:22

    # Allow incoming SSH connections on port 22 related to internal IP of gateway
    iptables -A INPUT -d $INT_ROUTER_IP -p tcp –dport 22 -m conntrack –ctstate NEW -j ACCEPT

    # Set outgoing source to the one from gateway
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to-source $EXT_ROUTER_IP

    # Allow established and related connections
    iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *