From bfd8b35a8bd1c0041c700636e982f0af157e042b Mon Sep 17 00:00:00 2001 From: Whisker Jones Date: Sun, 19 May 2024 13:16:02 -0600 Subject: [PATCH] updates --- tech_docs/linux/linux_lxc_networking.md | 87 ++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 1 deletion(-) diff --git a/tech_docs/linux/linux_lxc_networking.md b/tech_docs/linux/linux_lxc_networking.md index f1d6649..23267f1 100644 --- a/tech_docs/linux/linux_lxc_networking.md +++ b/tech_docs/linux/linux_lxc_networking.md @@ -272,4 +272,89 @@ graph TD; C --> |Forward to 10.0.0.2:80| E[Apache2 Instance 2 10.0.0.2:80] ``` -You can visualize this diagram using a Mermaid live editor, or any platform that supports Mermaid syntax, to see the graphical representation of the network setup. \ No newline at end of file +You can visualize this diagram using a Mermaid live editor, or any platform that supports Mermaid syntax, to see the graphical representation of the network setup. + +--- + +### Understanding iptables Chains and their Relation to Cisco Technologies + +In Linux networking, `iptables` is a powerful tool for managing network traffic. It uses a set of rules to determine how packets are processed. These rules are organized into different *chains*, which define the order and conditions under which packets are processed. Here’s a breakdown of the chains mentioned and how they relate to concepts you might be familiar with from Cisco networking. + +### Chains in iptables + +1. **PREROUTING Chain** + - **Purpose**: This chain processes packets as soon as they arrive at the network interface, before any routing decisions are made. + - **Equivalent Cisco Concept**: This is somewhat akin to an ingress ACL (Access Control List) applied to an interface, where you can inspect and modify packets before they are routed. + - **Example Rule**: + ```bash + -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80 + ``` + This rule changes the destination IP address and port of packets arriving at `192.168.1.10:81` to `10.0.0.1:80`. + +2. **FORWARD Chain** + - **Purpose**: This chain handles packets that are being routed through the system, i.e., packets that are not destined for the local machine but need to be forwarded to another network. + - **Equivalent Cisco Concept**: Similar to the behavior of ACLs applied to routed interfaces, which control the forwarding of packets based on defined criteria. + - **Example Rule**: + ```bash + -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + ``` + This rule allows packets destined for `10.0.0.1:80` to be forwarded, as long as they match the specified state conditions. + +3. **POSTROUTING Chain** + - **Purpose**: This chain processes packets just before they leave the network interface, after routing decisions have been made. + - **Equivalent Cisco Concept**: Similar to egress ACLs or NAT rules applied after routing, modifying packets before they are sent out. + - **Example Rule**: + ```bash + -t nat -A POSTROUTING -o br0 -j MASQUERADE + ``` + This rule ensures that the source IP address of outgoing packets is replaced (masqueraded) with the IP address of the outgoing interface (e.g., `br0`), enabling proper return traffic. + +### How It All Fits Together + +In your example setup, these chains work together to forward traffic from the LXC container to the Apache instances on different networks. + +1. **PREROUTING Chain**: + - Intercepts incoming packets at the LXC container's IP (`192.168.1.10`) on specific ports (`81` and `82`). + - Redirects these packets to the corresponding Apache instance IPs (`10.0.0.1` and `10.0.0.2`). + +2. **FORWARD Chain**: + - Ensures that the packets redirected by the PREROUTING chain are allowed to be forwarded to the destination IP addresses. + +3. **POSTROUTING Chain**: + - Modifies outgoing packets to ensure they have the correct source IP address, allowing for proper return traffic handling. + +### Practical Example: Port Forwarding in Action + +#### 1. PREROUTING Chain Rule: + - Redirect packets from `192.168.1.10:81` to `10.0.0.1:80`: + ```bash + sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 81 -j DNAT --to-destination 10.0.0.1:80 + ``` + - Redirect packets from `192.168.1.10:82` to `10.0.0.2:80`: + ```bash + sudo iptables -t nat -A PREROUTING -d 192.168.1.10 -p tcp --dport 82 -j DNAT --to-destination 10.0.0.2:80 + ``` + +#### 2. FORWARD Chain Rule: + - Allow forwarding for packets to `10.0.0.1:80`: + ```bash + sudo iptables -A FORWARD -p tcp -d 10.0.0.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + ``` + - Allow forwarding for packets to `10.0.0.2:80`: + ```bash + sudo iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + ``` + +#### 3. POSTROUTING Chain Rule: + - Enable masquerading for outgoing packets: + ```bash + sudo iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE + ``` + +### Summary + +- **PREROUTING**: Processes packets before routing decisions, modifying their destination if needed (similar to ingress ACLs). +- **FORWARD**: Handles packets being routed through the system, controlling whether they are forwarded based on defined rules (similar to routed interface ACLs). +- **POSTROUTING**: Processes packets just before they leave the interface, often used for NAT (similar to egress ACLs or NAT rules). + +These chains allow you to control and manipulate packet flow through a Linux system, providing powerful capabilities similar to those you use with Cisco devices, but within the context of Linux networking. \ No newline at end of file