Changes between Initial Version and Version 1 of TipAndDoc/VM/network/masquerade

Timestamp:

Jun 25, 2009 10:25:13 PM (15 years ago)

Author:

mitty

Comment:

--

TipAndDoc/VM/network/masquerade

@@ +1 @@
+[[PageOutline]]
+
+ = iptablesによるIP MASQUERADE =
+ * [http://www.atmarkit.co.jp/flinux/rensai/iptables02/iptables02c.html ＠IT：natテーブルを利用したLinuxルータの作成（3/6）]
+
+ * " wiki:TipAndDoc/network/vmtest#networkmap のネットワークを使用
+
+ * 到達テスト用IP => 202.12.27.33 (M.ROOT-SERVERS.NET.)
+
+ = without MASQUERADE =
+
+ == case 1 ==
+ * router -> centos-outer -(NAPT)-> WAN
+
+ * ubuntu-router:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+}}}
+   1. ubuntu-router:eth0
+{{{
+21:36:03.484785 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+21:36:03.419741 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+21:36:03.420277 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64
+}}}
+
+ == case 2 ==
+ * ubuntu-outer -> router(redirect) -> centos-outer -(NAPT)-> WAN
+
+ * ubuntu-outer:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+From 10.0.0.254: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.20)
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+}}}
+   1. ubuntu-outer:eth1
+{{{
+21:28:12.959737 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64
+21:28:12.965215 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92
+}}}
+   1. ubuntu-router:eth0
+{{{
+21:28:12.962459 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64
+21:28:12.965204 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92
+21:28:12.974739 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+21:28:12.915534 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+21:28:12.915855 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64
+}}}
+
+ == case 3 ==
+ * ubuntu-inner-AB -> router -> centos-outer -(NAPT)-> WAN
+
+ * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+}}}
+   1. ubuntu-inner-AB:eth1
+{{{
+20:50:23.110897 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64
+}}}
+   1. ubuntu-router:eth2
+{{{
+20:50:23.125749 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64
+}}}
+   1. ubuntu-router:eth0
+{{{
+20:50:23.134574 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+20:50:23.090600 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+20:50:23.092625 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64
+}}}
+
+ = IP MASQUERADE =
+ * 上記のcase1, 2は、centos-outerにIP MASQUERADEの設定をすれば解決する
+   * centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+   * centos-outer ~]$ sudo iptables -t nat -L -v
+{{{
+Chain PREROUTING (policy ACCEPT 21 packets, 3810 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+
+Chain POSTROUTING (policy ACCEPT 4 packets, 336 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+}}}
+
+ == case 1 ==
+ * ubuntu-router:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+64 bytes from 202.12.27.33: icmp_seq=1 ttl=239 time=16.3 ms
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 16.394/16.394/16.394/0.000 ms
+}}}
+   1. ubuntu-router:eth0
+{{{
+21:52:23.674784 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64
+21:52:23.686245 IP 202.12.27.33 > 10.0.0.254: ICMP echo reply, id 29462, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+21:52:23.585426 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64
+21:52:23.600322 IP 202.12.27.33 > 10.0.0.254: ICMP echo reply, id 29462, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+21:52:23.586646 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64
+21:52:23.600260 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 29462, seq 1, length 64
+}}}
+
+ == case 2 ==
+ * ubuntu-outer:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+From 10.0.0.254: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.20)
+64 bytes from 202.12.27.33: icmp_seq=1 ttl=239 time=18.2 ms
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 1 received, 0% packet loss, time 0ms
+rtt min/avg/max/mdev = 18.232/18.232/18.232/0.000 ms
+}}}
+   1. ubuntu-outer:eth1
+{{{
+21:54:52.110334 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64
+21:54:52.112754 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92
+21:54:52.128234 IP 202.12.27.33 > 10.0.0.10: ICMP echo reply, id 42518, seq 1, length 64
+}}}
+   1. ubuntu-router:eth0
+{{{
+21:54:52.110893 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64
+21:54:52.112704 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92
+21:54:52.113196 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+21:54:52.033678 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64
+21:54:52.048781 IP 202.12.27.33 > 10.0.0.10: ICMP echo reply, id 42518, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+21:54:52.035689 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64
+21:54:52.048112 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 42518, seq 1, length 64
+}}}
+
+ == case 3 ==
+ * ubuntu-inner-AB -> router -> centos-outer -(NAPT)-> WAN
+ * この場合、WAN -(NAPT)-> centos-outer で帰ってきたパケットを10.2.0.30(ubuntu-inner-AB)に送り返そうとするが、centos-outerのデフォルトゲートウェイがあるネットワークはeth0の向きなので、ubuntu-inner-ABがあるeth1ではなくeth0にパケットが送出されてしまう。
+   * MASQUERADEに併せて、centos-outerにstatic routeの設定が必要
+
+ * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1
+{{{
+PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data.
+
+--- 202.12.27.33 ping statistics ---
+1 packets transmitted, 0 received, 100% packet loss, time 0ms
+}}}
+   1. ubuntu-inner-AB:eth1
+{{{
+20:56:09.881451 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64
+}}}
+   1. ubuntu-router:eth2
+{{{
+20:56:09.895738 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64
+}}}
+   1. ubuntu-router:eth0
+{{{
+20:56:09.896113 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64
+}}}
+   1. centos-outer:eth1
+{{{
+20:56:09.861559 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64
+}}}
+   1. centos-outer:eth0
+{{{
+20:56:09.863646 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64
+20:56:09.876772 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 15892, seq 1, length 64
+20:56:09.878089 IP 202.12.27.33 > 10.2.0.30: ICMP echo reply, id 15892, seq 1, length 64
+}}}