Iptable & routing in a virtualbox lab

2

1

I set up a virtual box lab, with the following configuration:

Vitual Lab Setup

In order to make the lab working I create with a script the following interfaces, enabling port forwarding for the server machine in order to have internet access.

This commands are triggered from HOST machine

tunctl -t tap0 -u myuser
ip link set up dev tap0
brctl addbr br0
brctl addif br0 tap0
ip link set up dev br0
ip addr add 10.1.1.1/24 dev br0
ip route add 10.1.1.0/24 dev br0
tunctl -t tap1 -u myuser
tunctl -t tap2 -u myuser
tunctl -t tap3 -u myuser
ip link set up dev tap1
ip link set up dev tap2
ip link set up dev tap3
brctl addbr br1
brctl addif br1 tap1
brctl addif br1 tap2
brctl addif br1 tap3
ip link set up dev br1
ip addr add 10.1.2.1/24 dev br1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Using virtualbox gui I set the following interfaces to serve and clients:

server -> tap0 , tap1 [Bridged network]

client1 -> tap2 [Bridged network]

client2 -> tap3 [Bridged network]

Then edit /etc/network/interfaces and resolv.conf

SERVER

*# cat /etc/network/interfaces*
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.1.1.2
netmask 255.255.255.0
up route add default gw 10.1.1.1 dev eth0
auto eth1
iface eth1 inet static
address 10.1.2.2
netmask 255.255.255.0

*# cat /etc/resolv.conf*
domain 
search 
nameserver 192.168.2.194

CLIENT 1

*# cat /etc/network/interfaces*
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.1.2.3
netmask 255.255.255.0
up route add default gw 10.1.2.2 dev eth0

*# cat /etc/resolv.conf*
domain 
search 
nameserver 10.1.2.2

CLIENT 2

*# cat /etc/network/interfaces*
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 10.1.2.4
netmask 255.255.255.0
up route add default gw 10.1.2.2 dev eth0

*# cat /etc/resolv.conf*
domain 
search 
nameserver 10.1.2.2

With the following configuration:

I can access the internet with server machine,

I can access via ssh to any machine in the network

I can't access internet with client1 and client2 machine...

Can you help me setting up some routing rule to get rid of this problem?

Michele C.

Posted 2015-11-17T10:15:04.297

Reputation: 21

i forgot to mention the fact that host, server, client1 and client2 are all debian – Michele C. – 2015-11-17T12:40:31.007

From any of the clients, can you ping -c1 8.8.8.8? – MariusMatutiae – 2015-11-17T12:48:36.800

And, on which machine are you running the first set of instructions, the one that begins with tunctl? On the host? – MariusMatutiae – 2015-11-17T12:52:36.767

no, i can't ping google DNS, from client machines i can only reach 10.1.2.x addresses – Michele C. – 2015-11-17T12:54:15.337

yes of course, i omitted to say cause i thought it was obvious.... – Michele C. – 2015-11-17T12:55:12.087

Answers

0

And, on which machine are you running the first set of instructions, the one that begins with tunctl? On the host?

yes of course, i omitted to say cause i thought it was obvious....

Not necessarily: the all-important iptables rule 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

which should have been on the server, is instead to be found on the (useless!) host. Ditto for 

echo 1 > /proc/sys/net/ipv4/ip_forward

Lastly, (but independent of the above), the statement

nameserver 10.1.2.2

on both clients is a tad suspicious: did you setup a DNS server on the Server? Until you do, you are better off using

nameserver 8.8.8.8

or something of this sort.

I cannot state that these are the only errors in your configuration. There is so much that is useless (a bridge made only of a virtual interface??? A bridge on the Host? VBox will take care of that! a statement like

nameserver 192.168.2,194

with a comma instead of a dot), that I can only state that the points I made above ought to be corrected, but then most likely an extra round of debugging will be needed. When you do that, make sure to use tcpdump to check where the packet flow is broken, because that makes network debugging so much easier than I can go from here to there, but not from ....

MariusMatutiae

Posted 2015-11-17T10:15:04.297

Reputation: 41 321

i appreciate your answer, the comma is a typo, in my conf is a dot. – Michele C. – 2015-11-17T13:24:58.907

i made this conf because i want client machine access internet via sever machine, not directly. – Michele C. – 2015-11-17T13:27:19.530

nella creazione del lab sono sicuro della bontà delle scelte operate in virtu delle esigenze che ho, il mio problema è creare sul server una regola che mi pemetta di accedere ad internet da un client seguendo lo stesso "giro" con cui il server va verso l'esterno...spero di essere stato un po piu chiaro cosi... – Michele C. – 2015-11-17T13:34:51.140

English guys. Super user wants to help everyone who sees this question. – Canadian Luke – 2015-11-17T15:55:27.363

Asked: 2015-11-17T10:15:04.297

Viewed: 507 times

Active: 2017-12-14T20:10:15.903