Skip to main content
Unix & Linux

Return to Question

added 2259 characters in body
Source Link
Луи Андерсон
Луи Андерсон
  • 13
  • 4

I'm trying to build a prototype of a real network in VirtualBox. I have 3 guest systems:

in iptables there is-save output:

$IPT# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*filter
:INPUT DROP [31:8959]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp0s8 -j ACCEPT
-A INPUT -i enp0s9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 2 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i enp0s3 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i $LAN1enp0s8 -o $LAN2enp0s3 -j ACCEPT
-A FORWARD -i enp0s9 -o enp0s3 -j ACCEPT
-A FORWARD -i enp0s3 -o enp0s8 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp0s3 -o enp0s9 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 10.10.10.0/24 -d 10.10.11.0/24 -i enp0s8 -o enp0s9 -j ACCEPT
$IPT -A FORWARD -s 10.10.11.0/24 -d 10.10.10.0/24 -i $LAN2enp0s9 -o $LAN1enp0s8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp0s8 -j ACCEPT
-A OUTPUT -o enp0s9 -j ACCEPT
-A OUTPUT -o enp0s3 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
COMMIT
# Completed on Thu Mar 21 01:18:29 2019
# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*nat
:PREROUTING ACCEPT [77:16001]
:INPUT ACCEPT [2:628]
:OUTPUT ACCEPT [2:143]
:POSTROUTING ACCEPT [2:143]
-A POSTROUTING -s 10.10.1110.0/24 -do enp0s3 -j MASQUERADE
-A POSTROUTING -s 10.10.1011.0/24 -o enp0s3 -j MASQUERADE
COMMIT
# Completed on Thu Mar 21 01:18:29 2019
# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*mangle
:PREROUTING ACCEPT [224:28224]
:INPUT ACCEPT [180:21810]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:17877]
:POSTROUTING ACCEPT [144:17877]
COMMIT
# Completed on Thu Mar 21 01:18:29 2019

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible.

I'm trying to build a prototype of a real network in VirtualBox. I have:

in iptables there is:

$IPT -A FORWARD -i $LAN1 -o $LAN2 -s 10.10.10.0/24 -d 10.10.11.0/24 -j ACCEPT
$IPT -A FORWARD -i $LAN2 -o $LAN1 -s 10.10.11.0/24 -d 10.10.10.0/24 -j ACCEPT

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible.

I'm trying to build a prototype of a real network in VirtualBox. I have 3 guest systems:

iptables-save output:

# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*filter
:INPUT DROP [31:8959]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp0s8 -j ACCEPT
-A INPUT -i enp0s9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 1 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 2 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -i enp0s3 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
-A FORWARD -i enp0s9 -o enp0s3 -j ACCEPT
-A FORWARD -i enp0s3 -o enp0s8 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp0s3 -o enp0s9 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 10.10.10.0/24 -d 10.10.11.0/24 -i enp0s8 -o enp0s9 -j ACCEPT
-A FORWARD -s 10.10.11.0/24 -d 10.10.10.0/24 -i enp0s9 -o enp0s8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp0s8 -j ACCEPT
-A OUTPUT -o enp0s9 -j ACCEPT
-A OUTPUT -o enp0s3 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
COMMIT
# Completed on Thu Mar 21 01:18:29 2019
# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*nat
:PREROUTING ACCEPT [77:16001]
:INPUT ACCEPT [2:628]
:OUTPUT ACCEPT [2:143]
:POSTROUTING ACCEPT [2:143]
-A POSTROUTING -s 10.10.10.0/24 -o enp0s3 -j MASQUERADE
-A POSTROUTING -s 10.10.11.0/24 -o enp0s3 -j MASQUERADE
COMMIT
# Completed on Thu Mar 21 01:18:29 2019
# Generated by iptables-save v1.6.0 on Thu Mar 21 01:18:29 2019
*mangle
:PREROUTING ACCEPT [224:28224]
:INPUT ACCEPT [180:21810]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:17877]
:POSTROUTING ACCEPT [144:17877]
COMMIT
# Completed on Thu Mar 21 01:18:29 2019

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting tcpdump shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible.

deleted 26 characters in body
Source Link
Rui F Ribeiro
Rui F Ribeiro
  • 58k
  • 28
  • 156
  • 239

I'm trying to build a prototype of a real network in VirtualBox. I have:

  1. Debian-based router with 3 NICs:
    • enp0s3 Looks outsude.(bridged)
    • enp0s8 LAN1.(gateway to internal network 1)
    • enp0s9 LAN2.(gateway to internal network 2)
  2. WinXP workstation in LAN1.
  3. WinXP workstation in LAN2.
in /etc/sysctl.conf: 
net.ipv4.ip_forward=1

in iptables there is:

$IPT -A FORWARD -i $LAN1 -o $LAN2 -s 10.10.10.0/24 -d 10.10.11.0/24 -j ACCEPT
$IPT -A FORWARD -i $LAN2 -o $LAN1 -s 10.10.11.0/24 -d 10.10.10.0/24 -j ACCEPT

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible. Thank you all in advance.

I'm trying to build a prototype of a real network in VirtualBox. I have:

  1. Debian-based router with 3 NICs:
    • enp0s3 Looks outsude.(bridged)
    • enp0s8 LAN1.(gateway to internal network 1)
    • enp0s9 LAN2.(gateway to internal network 2)
  2. WinXP workstation in LAN1.
  3. WinXP workstation in LAN2.
in /etc/sysctl.conf: 
net.ipv4.ip_forward=1

in iptables there is:

$IPT -A FORWARD -i $LAN1 -o $LAN2 -s 10.10.10.0/24 -d 10.10.11.0/24 -j ACCEPT
$IPT -A FORWARD -i $LAN2 -o $LAN1 -s 10.10.11.0/24 -d 10.10.10.0/24 -j ACCEPT

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible. Thank you all in advance.

I'm trying to build a prototype of a real network in VirtualBox. I have:

  1. Debian-based router with 3 NICs:
    • enp0s3 Looks outsude.(bridged)
    • enp0s8 LAN1.(gateway to internal network 1)
    • enp0s9 LAN2.(gateway to internal network 2)
  2. WinXP workstation in LAN1.
  3. WinXP workstation in LAN2.
in /etc/sysctl.conf: 
net.ipv4.ip_forward=1

in iptables there is:

$IPT -A FORWARD -i $LAN1 -o $LAN2 -s 10.10.10.0/24 -d 10.10.11.0/24 -j ACCEPT
$IPT -A FORWARD -i $LAN2 -o $LAN1 -s 10.10.11.0/24 -d 10.10.10.0/24 -j ACCEPT

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible.

Source Link
Луи Андерсон
Луи Андерсон
  • 13
  • 4

Traffic between subnets VirtualBox

I'm trying to build a prototype of a real network in VirtualBox. I have:

  1. Debian-based router with 3 NICs:
    • enp0s3 Looks outsude.(bridged)
    • enp0s8 LAN1.(gateway to internal network 1)
    • enp0s9 LAN2.(gateway to internal network 2)
  2. WinXP workstation in LAN1.
  3. WinXP workstation in LAN2.
in /etc/sysctl.conf: 
net.ipv4.ip_forward=1

in iptables there is:

$IPT -A FORWARD -i $LAN1 -o $LAN2 -s 10.10.10.0/24 -d 10.10.11.0/24 -j ACCEPT
$IPT -A FORWARD -i $LAN2 -o $LAN1 -s 10.10.11.0/24 -d 10.10.10.0/24 -j ACCEPT

DNSmasq acts as DHCP server
And the question is: how can i make workstation in LAN1 see one in LAN2? The internet is available to both, workstation1(10.100) can ping 11.1 gateway but can't reach 11.100 machine and vice versa. iptables is not likely to be the problem because it does not have dropped packages in statistics. And what seems interesting is when tcpdump is started like this: tcpdump -i any icmp it shows 2 packages for every ping request with 0.0000x time difference.
P.S. It would be nice to make this all without adding static routes on clients if it is possible. Thank you all in advance.