diff --git a/tech_docs/linux/linux_lxc_networking.md b/tech_docs/linux/linux_lxc_networking.md index 3c2e435..f1d6649 100644 --- a/tech_docs/linux/linux_lxc_networking.md +++ b/tech_docs/linux/linux_lxc_networking.md @@ -1,5 +1,3 @@ -Got it, Jason. Let's take a more foundational approach to understanding Linux networking concepts, focusing on bridging your Cisco networking knowledge with Linux networking principles. - ### Basic Concepts of Linux Networking #### 1. **Network Interfaces** @@ -129,3 +127,149 @@ sudo iptables -t nat -A POSTROUTING -j MASQUERADE ### Summary By understanding these core Linux networking concepts and commands, you can leverage your Cisco networking knowledge to effectively manage and configure Linux-based networks. This foundation will help you handle more advanced scenarios, like managing LXC containers and implementing complex port forwarding and NAT setups. + + +--- + +To get a more advanced understanding of your setup, let's delve into the details and address the intricacies of port forwarding between different networks for LXC containers. We'll cover the concepts and provide a practical example to clarify the process. + +### Advanced Port Forwarding with LXC Containers + +#### Scenario Overview + +- **LXC Container IP**: `192.168.1.10` +- **Apache2 Instance 1**: Running on `10.0.0.1:80` +- **Apache2 Instance 2**: Running on `10.0.0.2:80` +- **Ports on LXC Container**: Forward to `192.168.1.10:81` and `192.168.1.10:82` +- **Objective**: Expose the Apache instances running on `10.x.x.x` network to the `192.168.1.x` network via the LXC container. + +### Network Diagram + +``` ++--------------------+ +--------------------+ +| LXC Host | | External Network | +| | | | +| +----------------+ | | | +| | LXC Container | | | | +| | 192.168.1.10 | | | | +| +----------------+ | | | +| | | | | | +| | +-----------------> 192.168.1.10:81 | +| | | | | +| | +-----------------> 192.168.1.10:82 | +| | | | | +| | | | | +| 10.0.0.1:80 10.0.0.2:80 | | +| | | | | ++--------------------+ +--------------------+ +``` + +### Steps for Advanced Port Forwarding + +1. **Configure Networking on the LXC Host**: + - Ensure the LXC host has access to both the `10.x.x.x` and `192.168.1.x` networks. + +2. **Create a Network Bridge**: + - If needed, create a bridge to connect the LXC container to the desired network. + +```bash +# Create a new bridge (if not already created) +sudo ip link add name br0 type bridge +sudo ip addr add 192.168.1.1/24 dev br0 +sudo ip link set br0 up + +# Add the container's interface to the bridge +sudo ip link set veth0 master br0 +sudo ip link set veth0 up +``` + +3. **Configure the LXC Container**: + - Ensure the LXC container is connected to the bridge `br0` and has the IP address `192.168.1.10`. + +4. **Set Up Port Forwarding Using `iptables`**: + - Forward traffic from the LXC container's IP to the Apache instances. + +```bash +# Forward traffic from 192.168.1.10:81 to 10.0.0.1:80 +sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80 +sudo iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# Forward traffic from 192.168.1.10:82 to 10.0.0.2:80 +sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80 +sudo iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# Masquerade outgoing packets to ensure proper return path +sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE +``` + +### Explanation + +- **PREROUTING Chain**: + - `-t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80`: This rule changes the destination of packets arriving at `192.168.1.10` on port `81` to `10.0.0.1:80`. + - `-t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80`: This rule changes the destination of packets arriving at `192.168.1.10` on port `82` to `10.0.0.2:80`. + +- **FORWARD Chain**: + - `-A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT`: Allows forwarding of packets destined for `10.0.0.1` on port `80`. + - `-A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT`: Allows forwarding of packets destined for `10.0.0.2` on port `80`. + +- **POSTROUTING Chain**: + - `-t nat -A POSTROUTING -o br0 -j MASQUERADE`: Ensures that outgoing packets have the correct source IP address for return traffic. + +### Persisting `iptables` Rules + +To make sure the `iptables` rules persist across reboots, you can save them using the `iptables-save` command and restore them using the `iptables-restore` command during system startup. + +```bash +# Save iptables rules +sudo iptables-save > /etc/iptables/rules.v4 +``` + +On systemd-based systems, you can create a service to restore these rules at startup: + +```bash +# Create a systemd service file +sudo nano /etc/systemd/system/iptables-restore.service +``` + +Add the following content to the service file: + +```ini +[Unit] +Description=Restore iptables rules +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore < /etc/iptables/rules.v4 +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +``` + +Enable and start the service: + +```bash +sudo systemctl enable iptables-restore.service +sudo systemctl start iptables-restore.service +``` + +### Summary + +By understanding and configuring the Linux networking components and `iptables` rules, you can achieve advanced port forwarding and ensure proper network communication between different networks and LXC containers. This setup effectively bridges the gap between your extensive Cisco networking knowledge and Linux networking principles. + + +--- + +Sure, here's the network diagram using Mermaid syntax. + +```mermaid +graph TD; + A[External Network] --> |Access Apache Services| B(LXC Host) + B --> |Forward to 192.168.1.10:81| C(LXC Container 192.168.1.10) + B --> |Forward to 192.168.1.10:82| C + C --> |Forward to 10.0.0.1:80| D[Apache2 Instance 1 10.0.0.1:80] + C --> |Forward to 10.0.0.2:80| E[Apache2 Instance 2 10.0.0.2:80] +``` + +You can visualize this diagram using a Mermaid live editor, or any platform that supports Mermaid syntax, to see the graphical representation of the network setup. \ No newline at end of file