CPSC 441, Fall 2002
Lab 6: NAT Masquerading in Linux


IN THIS LAB, we return to UML (User Mode Linux) to build a virtual network behind a firewall that does masquerading. You can read about masquerading in Linux in the IP Masquerading HOWTO. You will be using a script from this page in this lab. For more information about User Mode Linux, see the UML Home Page.

The exercises for this lab are due next Friday!

Exercise 1: A Virtual Network

In previous labs, you started the UML virtual machine with the command uml. This command is actually defined as a shorthand alias for linux  mem=64M  eth0=tuntap,,,172.30.217.xxx, where xxx depends on which computer you are using. The "eth0" part of this command tells the virtual machine to set up its first virtual ethernet card (eth0) as a networking interface that gets at the network through the real computer's real ethernet card. Effectively, eth0 connects the virtual machine to the campus network. When you configured the network in the virtual machine, you assigned an HWS IP address to its eth0 interface.

In this lab, you will be using a UML virtual machine as a masquerading firewall. The internal network will consist of one or two additional UML virtual machines. When I set out to write this lab, I found some configuration problems which mean that you will not be able to use your original virtual machine, from labs 1 and 2, in this lab. Follow the instructions in this lab to set up your virtual machines.

Step 0: Copy the directory /home/cs441/uml_nat into your own directory. This directory contains a program, linux_nat, which is the same as the "linux" command except that it has network address translation enabled. It also contains the root file system that you should use for your firewall, as explained below. Finally, it contains a one-line long script, run_firewall, that you will run to boot the firewall. (This directory contains about 42 MB of data -- you could speed up the copying by telneting to math.hws.edu to do it.)

Step 1: Run the program uml_switch by typing uml_switch on the command line in a console window. Be sure to leave this window open until the end of the lab! At the end of the lab, use CONTROL-D to stop the uml_switch program. This command sets up a virtual network inside your computer that virtual machines can connect to. As machines connect and disconnect, you will see log entries in this window.

Step 2: Open another console window and cd into the uml_nat directory. You should also leave this window open until the end of the lab. Give the command run_firewall in the window. This boots the virtual machine that will be your firewall. (This script just contains the command linux_nat mem=32M eth0=tuntap,,,`ipaddr` eth1=daemon ubd0=root_fs_nat, so you don't have to type it yourself.) Don't forget to halt all your virtual machines at the end of the lab.

Step 3: Log into the firewall as root, with user name root and password root. You will have to configure the network interfaces. There are two interfaces, eth0 and eth1. The first of these connects the firewall to the campus network. Bring it up with the command ifconfig  eth0  172.30.217.xxx  up where 172.30.217.xxx is the personal ethernet address that was assigned to you earlier in the term. It is important that you use the right address! If you don't remember it, ask. The eth1 interface will connect to the internal, virtual network. You could use the 10.0.0.0 network for this internal network, for example. Bring the eth0 interface up with the command ifconfig  eth1  10.0.0.1  up   (The IP address doesn't necessarily have to be 10.0.0.1.) Check the network interface configuration with the command ifconfig with no parameters.

Step 4: Switch to another desktop, so you don't mix up your virtual machines! In another console window, start a new virtual machine with the command linux  eth0=daemon  ubd0=root_fs2,/xtra/uml_deb3  (You could use any file name in place of root_fs2.) Since this machine is not a firewall, you should use the standard linux command to run it. The "eth0=daemon" means that the eth0 interface in this machine will connect to the virtual network set up by the uml_switch command. If you ever have to restart this machine, you can use ubd0=root_fs2 instead of ubd0=root_fs2,/xtra/uml_deb3.

Step 5: Log into the new virtual machine as root. Bring up its eth0 interface with the command ifconfig  eth0  10.0.0.2  up (Again, the IP address doesn't necessarily have to be 10.0.0.2.)

Step 6 (Optional): Although it isn't really necessary, it's nice to have more than one virtual machine on the internal network. Go to anther desktop and start another virtual machine, for example with root file root_fs3 and IP address 10.0.0.3.

You should now be able to telnet from one of the virtual machines on the internal network to the firewall machine with a command such as telnet  10.0.0.1. (The root user is not allowed to log in remotely, so you will have to log in with user name guest and password guest.) You can ping from one machine on the internal network to another. You can't telnet to 10.0.0.2 since you have not installed a telnet server on that virtual machine. However, there is no way to send packets from a machine on the internal network to an external machine, or vice versa. Try it! For that, you need to set up the firewall machine as a router. Since this is going to be a masquerading network, you have to set up IP Masquerading on the firewall.

Step 7: Go to the virtual machine that is serving as your firewall. I have put the commands that you need for setting up masquerading into a script named iptables.sh on that machine. Run the script with the command /root/iptables.sh .  Once you do this, routing and masquerading is in place.

Step 8: There is one more thing that you need to do to make all IP addresses accessible. A host needs a default gateway where it can send packets that have to be routed to networks to which it is not connected directly. For the firewall computer, this gateway is the HWS router. Set up this gateway on the firewall computer with the command route  add  default  gw  172.30.0.200 .  For the machines on the internal network the gateway is the firewall. On those machines, you should set up the gateway with a command such as route  add  default  gw  10.0.0.1 ,  using the IP address of the firewall on the virtual network. Once this is done, you should be able to ping 172.30.10.23 from a machine on the internal network.

Step 9: To be able to use domain names such as math.hws.edu on your virtual machines, you need to configure DNS lookups on those machines. This is done by putting the line nameserver  172.30.0.101 into a file named /etc/resolv.conf .  Once this is done, you should be able to say somethihing like telnet math.hws.edu. (The easiest way to get the line nameserver  172.30.0.101 into /etc/resolv.conf is to give the command cat > /etc/resolv.conf then type the line nameserver 172.30.0.101 press return and hit CONTROL-D.)

Once you have done all this, your network should be fully configured. Try it out using ping, telnet, and even ftp between various machines. Make sure that you can ping from a machine on the internal network to a computer outside HWS. Note that these ping packets are going through two NAT firewalls!

Although you don't need to know it, the commands for setting up masquerading and routing are these:

    iptables -P INPUT ACCEPT
    iptables -F INPUT 
    iptables -P OUTPUT ACCEPT
    iptables -F OUTPUT 
    iptables -P FORWARD DROP
    iptables -F FORWARD 
    iptables -t nat -F

    echo "   FWD: Allow all connections OUT and only existing and related ones IN"
    iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

    echo "   Enabling SNAT (MASQUERADE) functionality on eth0"
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    echo "  Enabling routing "

    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "Done"

I extracted these commands from the IP Masquerading HOWTO to make the script, iptables.sh, that you used above.

Exercise 1: The first part of this exercise is to get your network set up before you leave lab, and to demonstrate it to me. You should also do the following:
         (A)  Write down the routing tables for your firewall and for one of the other machines on the internal network. You can list a routing table with the command route  -n. Turn in these routing tables with an explanation of what each line means, based on the classwork that we will be doing next week.
         (B)  Telnet from a machine on the virtual, internal network to math.hws.edu. On math.hws.edu, use the w command to see who is logged on. What IP address are you listed under? Why? Turn in your answer.
         (C)  Use traceroute on one of the machines on the virtual network to trace the route to www.ucla.edu or to some othe computer outside of HWS. What are the first few entries on the route? Why? Turn in your answer.

Exercise 2: Thinking about a Final Project

As you know, there is a final project in this course which is worth 20% of the total grade. This project is due at the scheduled final exam period, but you should start thinking about it now. There are three different types of possible projects:

Here is a list of some possible topics you might work on. You are not limited to these topics, but I would like you to explore a few of them before you make any decision about what you want to do:

Exercise 2: Pick one topic from each of the three categories and look up some basic facts about it. Write a couple of sentences on each of the three topics. Then select one of the topics for further research and expand your discussion to a short essay of two or three paragraphs. You can work on Exercise 1 with another person, but you should do Exercise 2 on your own.


David Eck, October 2002