How to Turn a Linux Server into a Router to Handle Traffic Statically and Dynamically – Part 10

 

Advanced IP and Network Device Configuration

The iproute package provides a set of tools to manage networking and traffic control that we will use throughout this article as they represent the replacement of legacy tools such as ifconfig and route.

The central utility in the iproute suite is called simply ip. Its basic syntax is as follows:

# ip object command

Where object can be only one of the following (only the most frequent objects are shown – you can refer to man ip for a complete list):

1. link: network device.
2. addr: protocol (IP or IPv6) address on a device.
3. route: routing table entry.
4. rule: rule in routing policy database.

Whereas command represents a specific action that can be performed on object. You can run the following command to display the complete list of commands that can be applied to a particular object:

# ip object help

For example,

# ip link help

IP Command Help

The above image shows, for example, that you can change the status of a network interface with the following command:

# ip link set interface {up | down}

For such more examples of ‘ip‘ command, read 10 Useful ‘ip’ Commands to Configure IP Address

Example 1: Disabling and enabling a network interface

In this example, we will disable and enable eth1:

# ip link show
# ip link set eth1 down
# ip link show

Disable eth0 Interface

If you want to re-enable eth1,

# ip link set eth1 up

Instead of displaying all the network interfaces, we can specify one of them:

# ip link show eth1

Which will return all the information for eth1.

Example 2: Displaying the main routing table

You can view your current main routing table with either of the following 3 commands:

# ip route show
# route -n
# netstat -rn

Check Linux Route Table

The first column in the output of the three commands indicates the target network. The output of ip route show (following the keyword dev) also presents the network devices that serve as physical gateway to those networks.

Although nowadays the ip command is preferred over route, you can still refer to man ip-route and man route for a detailed explanation of the rest of the columns.

Example 3: Using a Linux server to route packets between two private networks

We want to route icmp (ping) packets from dev2 to dev4 and the other way around as well (note that both client machines are on different networks). The name of each NIC, along with its corresponding IPv4 address, is given inside square brackets.

Our test environment is as follows:

Client 1: CentOS 7 [enp0s3: 192.168.0.17/24] - dev1
Router: Debian Wheezy 7.7 [eth0: 192.168.0.15/24, eth1: 10.0.0.15/24] - dev2
Client 2: openSUSE 13.2 [enp0s3: 10.0.0.18/24] - dev4

Let’s view the routing table in dev1 (CentOS box):

# ip route show

and then modify it in order to use its enp0s3 NIC and the connection to 192.168.0.15 to access hosts in the 10.0.0.0/24 network:

# ip route add 10.0.0.0/24 via 192.168.0.15 dev enp0s3

Which essentially reads, “Add a route to the 10.0.0.0/24 network through the enp0s3 network interface using 192.168.0.15 as gateway”.

Route Network in Linux

Likewise in dev4 (openSUSE box) to ping hosts in the 192.168.0.0/24 network:

# ip route add 192.168.0.0/24 via 10.0.0.15 dev enp0s3

Network Routing in Linux

Finally, we need to enable forwarding in our Debian router:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Now let’s ping:

Check Network Routing

and,

Route Ping Status

To make these settings persistent across boots, edit /etc/sysctl.conf on the router and make sure the net.ipv4.ip_forward variable is set to true as follows:

net.ipv4.ip_forward = 1

In addition, configure the NICs on both clients (look for the configuration file within /etc/sysconfig/network on openSUSE and /etc/sysconfig/network-scripts on CentOS – in both cases it’s called ifcfg-enp0s3).

Here’s the configuration file from the openSUSE box:

BOOTPROTO=static
BROADCAST=10.0.0.255
IPADDR=10.0.0.18
NETMASK=255.255.255.0
GATEWAY=10.0.0.15
NAME=enp0s3
NETWORK=10.0.0.0
ONBOOT=yes

Example 4: Using a Linux server to route packages between a private networks and the Internet

Another scenario where a Linux machine can be used as router is when you need to share your Internet connection with a private LAN.

Router: Debian Wheezy 7.7 [eth0: Public IP, eth1: 10.0.0.15/24] - dev2
Client: openSUSE 13.2 [enp0s3: 10.0.0.18/24] - dev4

In addition to set up packet forwarding and the static routing table in the client as in the previous example, we need to add a few iptables rules in the router:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

The first command adds a rule to the POSTROUTING chain in the nat (Network Address Translation) table, indicating that the eth0 NIC should be used for outgoing packages.

MASQUERADE indicates that this NIC has a dynamic IP and that before sending the package to the “wild wild world” of the Internet, the private source address of the packet has to be changed to that of the public IP of the router.

In a LAN with many hosts, the router keeps track of established connections in /proc/net/ip_conntrack so it knows where to return the response from the Internet to.

Only part of the output of:

# cat /proc/net/ip_conntrack

is show in the following screenshot.

Route Packages in Linux

Where the origin (private IP of openSUSE box) and destination (Google DNS) of packets is highlighted. This was the result of running:

# curl www.tecmint.com

on the openSUSE box.

As I’m sure you can already guess, the router is using Google’s 8.8.8.8 as nameserver, which explains why the destination of outgoing packets points to that address.

Note: That incoming packages from the Internet are only accepted is if they are part of an already established connection (command #2), while outgoing packages are allowed “free exit” (command #3).

Don’t forget to make your iptables rules persistent following the steps outlined in Part 8 – Configure Iptables Firewall of this series.

Dynamic Routing with Quagga

Nowadays, the tool most used for dynamic routing in Linux is quagga. It allows system administrators to implement, with a relatively low-cost Linux server, the same functionality that is provided by powerful (and costly) Cisco routers.

The tool itself does not handle the routing, but rather modifies the kernel routing table as it learns new best routes to handle packets.

Since it’s a fork of zebra, a program whose development ceased a while ago, it maintains for historical reasons the same commands and structure than zebra. That is why you will see a lot of reference to zebra from this point on.

Please note that it is not possible to cover dynamic routing and all the related protocols in a single article, but I am confident that the content presented here will serve as a starting point for you to build on.

Installing Quagga in Linux

To install quagga on your chosen distribution:

# aptitude update && aptitude install quagga 				[On Ubuntu]
# yum update && yum install quagga 					[CentOS/RHEL]
# zypper refresh && zypper install quagga 				[openSUSE]

We will use the same environment as with Example #3, with the only difference that eth0 is connected to a main gateway router with IP 192.168.0.1.

Next, edit /etc/quagga/daemons with,

zebra=1
ripd=1

Now create the following configuration files.

# /etc/quagga/zebra.conf
# /etc/quagga/ripd.conf

and add these lines (replace for a hostname and password of your choice):

service quagga restart
hostname    	dev2
password    	quagga

# service quagga restart

Start Quagga Service

Note: That ripd.conf is the configuration file for the Routing Information Protocol, which provides the router with the information of which networks can be reached and how far (in terms of amount of hops) they are.

Note that this is only one of the protocols that can be used along with quagga, and I chose it for this tutorial due to easiness of use and because most network devices support it, although it has the disadvantage of passing credentials in plain text. For that reason, you need to assign proper permissions to the configuration file:

# chown quagga:quaggavty /etc/quagga/*.conf
# chmod 640 /etc/quagga/*.conf 

Example 5: Setting up quagga to route IP traffic dynamically

In this example we will use the following setup with two routers (make sure to create the configuration files for router #2 as explained previously):

Configure Quagga

Important: Don’t forget to repeat the following setup for both routers.

Connect to zebra (listening on port 2601), which is the logical intermediary between the router and the kernel:

# telnet localhost 2601

Enter the password that was set in the /etc/quagga/zebra.conf file, and then enable configuration:

enable
configure terminal

Enter the IP address and network mask of each NIC:

inter eth0
ip addr 192.168.0.15
inter eth1
ip addr 10.0.0.15
exit
exit
write

Configure Router

Now we need to connect to the RIP daemon terminal (port 2602):

# telnet localhost 2602

Enter username and password as configured in the /etc/quagga/ripd.conf file, and then type the following commands in bold (comments are added for the sake of clarification):

enable turns on privileged mode command.
configure terminal changes to configuration mode. This command is the first step to configuration
router rip enables RIP.
network 10.0.0.0/24 sets the RIP enable interface for the 10.0.0.0/24 network. 
exit
exit
write writes current configuration to configuration file.

Enable Router

Note: That in both cases the configuration is appended to the lines that we added previously (/etc/quagga/zebra.conf and /etc/quagga/ripd.conf).

Finally, connect again to the zebra service on both routers and note how each one of them has “learned” the route to the network that is behind the other, and which is the next hop to get to that network, by running the command show ip route:

# show ip route

Check IP Routing