Netruon Understanding (11): Using NAT to connect the Linux network namespace to the extranet

Learn Neutron Series articles:

(1) Virtualization network implemented by Neutron

(2) Neutron Openvswitch + VLAN Virtual network

(3) Neutron Openvswitch + gre/vxlan Virtual network

(4) Neutron OVS OpenFlow flow table and L2 Population

(5) Neutron DHCP Agent

(6) Neutron L3 Agent

(7) Neutron LBaas

(8) Neutron Security Group

(9) Neutron FWaas and Nova Security Group

(Ten) Neutron Vpnaas

(one) Neutron DVR

(Neutron VRRP)

(+) high Availability (HA)

(14) Connect the Linux network namespace to the extranet using NAT

(15) using Linux Bridge to connect the Linux network namespace to the external network

There are two main ways to connect the Linux network namespace to the outside network: Network address translation (NAT) and bridging (bridging), which can be divided into the use of Linux Bridge and Open VSwitch network. This article explains the specific configuration process and rationale for NAT.

1. Environment and Configuration

We could think of a Linux network namespace as another computer, which would look more intuitive:

The IP address of the node host1 is 192.168.1.32. Another machine used by the experiment host2 the IP for 192.168.1.15.

In order to be able to ping host2 from Netns myspace on host1, you need to do the configuration and instructions:

Steps	Command	Description
1	IP netns Add MySpace	Create a Linux network namespace named ' MySpace '
2	IP link Add veth1 type Veth peer name Veth2	Create a Veth device, one end is Veth1, the other is Veth2
3	IP link set veth2 netns MySpace	Add Veth2 to MySpace as one of its network interface
4	Ifconfig veth1 192.168.45.2 netmask 255.255.255.0 up	Configuring the IP address of the Veth1
5	IP netns exec myspace ifconfig veth2 192.168.45.3 netmask 255.255.255.0 up	Configure the IP address of the veth2, it and veth1 need to be on the same network segment
6	IP Netns exec MySpace route add default GW 192.168.45.2	Set MySpace's default route to Veth1 's IP address
7	Echo 1 >/proc/sys/net/ipv4/ip_forward	Turn on the Linux kernel IP forwarding
8	Iptables-t nat-a postrouting-s 192.168.45.0/24-o eth0-j Masquerade	Configure SNAT to replace the Soruce IP address of the network packet sent from MySpace with the IP addresses of eth0
9	Iptables-t filter-a forward-i eth0-o veth1-j ACCEPT	Explicitly allow forwarding from veth1 to eth0 when the default FORWARD rule is DROP

After these configurations, a routing rule is automatically added to the route table on host:

[Email protected]:/home/s1# Route-nkernel IP Routing tabledestination Gateway genmask Flags Metric Ref use Iface0.0.0.0         192.168.1.1     0.0.0.0Ug0      0        0eth0192.168.1.0     0.0.0.0         255.255.255.0U0      0        0eth0192.168.45.0 0.0.0.0 255.255.255.0 U 0 0 0 veth1

MySpace's routing table:

[Email protected]:/home/s1# IP netns exec MySpace route-nkernel IP Routing tabledestination Gateway genmask Flags Metric Ref use Iface0.0.0.0         192.168.45.2    0.0.0.0Ug0      0        0veth2192.168.45.0    0.0.0.0         255.255.255.0U0      0        0Veth2

The first one is explicitly created, and the second is automatically created.

Now you can ping the address of the extranet from MySpace.

2 Principle 2.1 about eighth article SNAT

If no eighth SNAT is set, the ICMP Request can reach the other computer, but the Echo reply message cannot be returned because the destination address is an internal address.

[Email protected]:/home/s1# tcpdump-eni bridge1-p ICMP-vtcpdump:listening on Bridge1, link-type EN10MB (Ethernet), capture size65535bytes -: +:03.827852  ,:xx: -: 4f: About: -> ,:xx: -: C7:CF:CA, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl theId54069, offset0, flags [DF], Proto ICMP (1), length -)    192.168.45.3>192.168.1.15: ICMP echo request, ID26569, seq1, length - -: +:04.829779  ,:xx: -: 4f: About: -> ,:xx: -: C7:CF:CA, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl theId54194, offset0, flags [DF], Proto ICMP (1), length -)

After adding the eighth, the ping succeeds, that is, the ICMP echo request can be sent, and Echo reply can return.

On the Host2 Nic Eth0, you can see the IP of the ICMP Echo Request network packet with the source IP of host1:

 -: -:19.360519  ,:xx: -: C7:CF:CA > ,:xx: -: 4f: About: -, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl -Id54265, offset0, flags [None], Proto ICMP (1), length -)    192.168.1.15>192.168.1.32: ICMP Echo Reply, id28534, seq7, length - -: -:20.358360  ,:xx: -: 4f: About: -> ,:xx: -: C7:CF:CA, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl theId21278, offset0, flags [DF], Proto ICMP (1), length -)    192.168.1.32>192.168.1.15: ICMP echo request, ID28534, seq8, length -

On the host1 Nic Eth0, you can see the IP addresses of the host1 and host2 that are used by the back and forth network packets:

[Email protected]:/home/s1# tcpdump-envi eth0-p ICMP-vtcpdump:listening on eth0, link-type EN10MB (Ethernet), capture size65535bytes .: to:27.285150  ,:xx: -: 4f: About: -> ,:xx: -: C7:CF:CA, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl theId58781, offset0, flags [DF], Proto ICMP (1), length -)    192.168.1.32>192.168.1.15: ICMP echo request, ID29610, seq158, length - .: to:27.285777  ,:xx: -: C7:CF:CA > ,:xx: -: 4f: About: -, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl -Id23662, offset0, flags [None], Proto ICMP (1), length -)    192.168.1.15>192.168.1.32: ICMP Echo Reply, id29610, seq158, length -

On the veth1 of host1, the IP address of the internal network segment is the source IP of the network packet and the destination IP of the received network packet:

[Email protected]:/home/s1# tcpdump-envi veth1-p ICMP-vtcpdump:listening on veth1, link-type EN10MB (Ethernet), capture size65535bytes .: -:13.355956c2[ the: 7e:b6:e9:4e > EE: -: ae:dd:6f:7f, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl -Id6989, offset0, flags [DF], Proto ICMP (1), length -)    192.168.45.3>192.168.1.15: ICMP echo request, ID29610, seq the, length - .: -:13.356391Ee: -: ae:dd:6f:7f > B2: the: 7e:b6:e9:4e, EtherType IPv4 (0x0800), length98: (TOS0x0Ttl theId36067, offset0, flags [None], Proto ICMP (1), length -)    192.168.1.15>192.168.45.3: ICMP Echo Reply, id29610, seq the, length -

So why is there eth0 between Veth1 and DNAT before forwarding occurs, and there is no explicit DNAT in the iptables NAT table?

The reason is that ICMP uses the Query ID, and NAT automatically DNAT the ICMP echo reply based on the ICMP Query ID. According to the https://tools.ietf.org/html/rfc5508 of 3.1. In the ICMP query Mapping section, when an internal host1 sends an ICMP query to an external HOST2, the NAT module of the Linux kernel assigns a matching Query ID to the external address of the NAT (ID 29610 in the example above) And then when the ICMP echo reply is received, the NAT module translates the external IP into an internal IP based on the ICMP Query ID and the ICMP header checksum, and then forwarding. It can also be seen that the ICMP Query ID is similar to the port number used by TCP and UDP, except that NAT automatically DNAT for ICMP, while TCP and UDP need to explicitly add DNAT rules.

2.2 About IP Forwarding

(Photo source)

After receiving the ICMP packets from MySpace from veth1, the Linux kernel

1. This rule does not need to be configured in this example to execute the preroting rule.
2. Perform Routing decision. It checks the destination IP address of the network packet and discovers that it is not on this computer, stating that routing (FORWARD) is required. Because the default IP forwarding on Linux is off, you need to execute a seventh command to open it, and then check for this forwarding in the iptable rule (ICMP packets go from veth1 to eth0). Typically, for security reasons, the administrator sets the default rule for FORWARD to DROP, which requires that the Nineth command explicitly allow the forwarding required by the (ACCEPT).
3. Perform IP forwarding. Find the routing table on Host1, and the network packets will be routed to Eth0.
4. Executes the postrouting rule. Because the source IP address of the network package at this time is still an internal address, in order to avoid the ICMP network packet has to go back, the internal address needs to be converted to an external address via SNAT. This is the function of the eighth article.
5. Issued from Eth0

(3) Default route for MySpace

Because MySpace has only one cable (Veth) connected to the VETH1, the default router address must be set to the IP address of the veth1.

2.3 DNAT

The above configuration is only intended to be able to access the extranet from MySpace. To enable the outside network to access the MySpace application, you need to add the DNAT rule on the host1, such as the TCP 8080 port to 80 ports on the internal IP, but also the need to configure forward rules, allowing from eth0 to Veth1 Into. The basic process is:

The other computer uses the IP address of host1 and a specific port to access the TCP application in Mysapce (192.168.1.32:8080).

1. The Linux kernel receives a TCP packet sent from eth0 (IP 192.168.1.32, port 8080)
2. Execute the preroting rule to modify the destination IP and port to 192.168.45.3 and 80
3. Perform Routing decision. It checks the destination IP address of the network packet and discovers that it is not on this computer, stating that routing (FORWARD) is required. Check that the Linux IP forwarding is turned on, and then check for this forwarding in the iptable rule (TCP packets go from eth0 to veth1). Typically, for security reasons, the administrator sets the default rule for FORWARD to DROP, which requires a forwarding like the Nineth command to explicitly allow (ACCEPT).
4. Perform IP forwarding. Find the routing table on Host1, and the network packets will be routed to Veth1.
5. Executes the postrouting rule. Although there is a eighth rule, it requires that the source address be in the internal network segment and therefore will not be executed.
6. Packets sent from veth1 go through the Veth device into MySpace's Veth0 network card.
7. Received by an application on port 80.

Netruon Understanding (11): Using NAT to connect the Linux network namespace to the extranet