API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 25th, 2019
119
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.39 KB | None | 0 0
raw download clone embed print report
  1. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -d 172.16.1.0/24 -j ACCEPT
  2. iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
  3.  
  4. echo install br_netfilter /bin/true > /etc/modprobe.d/disable-br-netfilter.conf
  5.  
  6. sysctl -w net.bridge.bridge-nf-call-iptables=0
  7.  
  8. iptables -t nat -A POSTROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j ACCEPT
  9.  
  10. iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  11.  
  12. for ns in host1 host2 router; do
  13. ip netns del $ns 2>/dev/null || :
  14. ip netns add $ns
  15. ip -n $ns link set lo up
  16. done
  17.  
  18. ip netns exec router sysctl -q -w net.ipv4.conf.default.forwarding=1
  19.  
  20. ip -n router link add bridge0 type bridge
  21. ip -n router link set bridge0 up
  22. ip -n router address add 192.168.0.1/24 dev bridge0
  23.  
  24. for i in 1 2; do
  25. ip -n host$i link add eth0 type veth peer netns router port$i
  26. ip -n host$i link set eth0 up
  27. ip -n host$i address add 192.168.0.10$i/24 dev eth0
  28. ip -n host$i route add default via 192.168.0.1
  29. ip -n router link set port$i up master bridge0
  30. done
  31.  
  32. #to mimic a standard NAT router, iptables rule voluntarily made as it is to show the last "effect"
  33. ip -n router link add name eth0 type dummy
  34. ip -n router link set eth0 up
  35. ip -n router address add 192.0.2.100/24 dev eth0
  36. ip -n router route add default via 192.0.2.1
  37. ip netns exec router iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
  38.  
  39. modprobe br_netfilter
  40. sysctl -w net.bridge.bridge-nf-call-iptables=0
  41.  
  42. ip netns exec router iptables -A FORWARD -p icmp --icmp-type echo-request
  43. ip netns exec router iptables -A FORWARD -p icmp --icmp-type echo-reply
  44.  
  45. # ip netns exec host1 ping -n -c2 192.168.0.102
  46. PING 192.168.0.102 (192.168.0.102) 56(84) bytes of data.
  47. 64 bytes from 192.168.0.102: icmp_seq=1 ttl=64 time=0.047 ms
  48. 64 bytes from 192.168.0.102: icmp_seq=2 ttl=64 time=0.058 ms
  49.  
  50. --- 192.168.0.102 ping statistics ---
  51. 2 packets transmitted, 2 received, 0% packet loss, time 1017ms
  52. rtt min/avg/max/mdev = 0.047/0.052/0.058/0.009 ms
  53.  
  54. # ip netns exec router iptables -v -S FORWARD
  55. -P FORWARD ACCEPT -c 0 0
  56. -A FORWARD -p icmp -m icmp --icmp-type 8 -c 0 0
  57. -A FORWARD -p icmp -m icmp --icmp-type 0 -c 0 0
  58.  
  59. # sysctl -w net.bridge.bridge-nf-call-iptables=1
  60. net.bridge.bridge-nf-call-iptables = 1
  61. # ip netns exec host1 ping -n -c2 192.168.0.102
  62. PING 192.168.0.102 (192.168.0.102) 56(84) bytes of data.
  63. 64 bytes from 192.168.0.102: icmp_seq=1 ttl=64 time=0.094 ms
  64. 64 bytes from 192.168.0.102: icmp_seq=2 ttl=64 time=0.163 ms
  65.  
  66. --- 192.168.0.102 ping statistics ---
  67. 2 packets transmitted, 2 received, 0% packet loss, time 1006ms
  68. rtt min/avg/max/mdev = 0.094/0.128/0.163/0.036 ms
  69.  
  70. # ip netns exec router iptables -v -S FORWARD
  71. -P FORWARD ACCEPT -c 4 336
  72. -A FORWARD -p icmp -m icmp --icmp-type 8 -c 2 168
  73. -A FORWARD -p icmp -m icmp --icmp-type 0 -c 2 168
  74.  
  75. # ip netns exec host1 ping -n -c2 192.168.0.102
  76. PING 192.168.0.102 (192.168.0.102) 56(84) bytes of data.
  77.  
  78. --- 192.168.0.102 ping statistics ---
  79. 2 packets transmitted, 0 received, 100% packet loss, time 1008ms
  80.  
  81. # ip netns exec router iptables -v -S FORWARD
  82. -P FORWARD DROP -c 2 168
  83. -A FORWARD -p icmp -m icmp --icmp-type 8 -c 4 336
  84. -A FORWARD -p icmp -m icmp --icmp-type 0 -c 2 168
  85.  
  86. # ip netns exec router iptables -A FORWARD -i bridge0 -o bridge0 -j ACCEPT
  87. # ip netns exec host1 ping -n -c2 192.168.0.102
  88. PING 192.168.0.102 (192.168.0.102) 56(84) bytes of data.
  89. 64 bytes from 192.168.0.102: icmp_seq=1 ttl=64 time=0.132 ms
  90. 64 bytes from 192.168.0.102: icmp_seq=2 ttl=64 time=0.123 ms
  91.  
  92. --- 192.168.0.102 ping statistics ---
  93. 2 packets transmitted, 2 received, 0% packet loss, time 1024ms
  94. rtt min/avg/max/mdev = 0.123/0.127/0.132/0.012 ms
  95.  
  96. # ip netns exec router iptables -v -S FORWARD
  97. -P FORWARD DROP -c 0 0
  98. -A FORWARD -p icmp -m icmp --icmp-type 8 -c 6 504
  99. -A FORWARD -p icmp -m icmp --icmp-type 0 -c 4 336
  100. -A FORWARD -i bridge0 -o bridge0 -c 4 336 -j ACCEPT
  101.  
  102. # ip netns exec host2 tcpdump -l -n -s0 -i eth0 -p icmp
  103. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  104. listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  105. 02:16:11.068795 IP 192.168.0.1 > 192.168.0.102: ICMP echo request, id 9496, seq 1, length 64
  106. 02:16:11.068817 IP 192.168.0.102 > 192.168.0.1: ICMP echo reply, id 9496, seq 1, length 64
  107. 02:16:12.088002 IP 192.168.0.1 > 192.168.0.102: ICMP echo request, id 9496, seq 2, length 64
  108. 02:16:12.088063 IP 192.168.0.102 > 192.168.0.1: ICMP echo reply, id 9496, seq 2, length 64
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!