[SOLVED] IP Forwarding?

Good afternoon, everyone!

I'm trying to get a Linux host to act as a router. It has two NICs, one is in the 192.168.4.0/24 subnet (192.168.4.1), the other is in the 192.168.5.0/24 subnet. I want hosts to be able to use 4.1 as their gateway...traffic goes in 4.1, then goes out 5.x...

I've tried getting IP forwarding to work and it's not wanting to cooperate. I think I'm missing something...I'm thinking I need a static route, but I'm not sure. The hosts (one Linux, one Windows) in question are VMs in VirtualBox that I'm using for some testing but can't quite get it all to work the way I want.

The Linux host has WAN connectivity. The Windows host can ping the Linux host (gateway), but the Windows host does NOT have WAN connectivity. The Linux host can NOT ping the Windows host but DOES have WAN connectivity...this is why I'm thinking it's a routing thing that I'm missing...

Thoughts? Perhaps there's an easier way to do this?

Any info greatly appreciated. Thank you!!

You haven't mentioned which distro you're using.

This [very short] article covers the basics: https://devconnected.com/how-to-conf...static-router/

Bear in mind that by default IP forwarding is turned off on a standard Linux kernel. You need to enable it. This is covered in that article.

The steps might be slightly different if you're using a different distro.

Exactly how have you configured the NICs for these VMs in VirtualBox?

Quote:

Originally Posted by rkelsen You haven't mentioned which distro you're using. This [very short] article covers the basics: https://devconnected.com/how-to-conf...static-router/ Bear in mind that by default IP forwarding is turned off on a standard Linux kernel. You need to enable it. This is covered in that article. The steps might be slightly different if you're using a different distro.

Awesome. I'll check that out. Thanks!!

The distro is Kali. I want the traffic from the Windows machine going through the Kali machine so I can use Wireshark for some testing.

Quote:

Originally Posted by Ser Olmy Exactly how have you configured the NICs for these VMs in VirtualBox?

I created a NAT Network and have both hosts joined to the NAT Network. This may not be the best way to do it but is the first that came to mind. Haven't tinkered with this part of it all yet.

Quote:

Originally Posted by rmp5s I created a NAT Network and have both hosts joined to the NAT Network. This may not be the best way to do it but is the first that came to mind. Haven't tinkered with this part of it all yet.

You're right about that not being the optimal way to set this up. And you really should have your network topology up and running before you start configuring IP forwarding, NAT, and the like.

These would be my suggestions:

• Have the NIC of the Windows VM connect to an "Internal Network".
  
  In VirtualBox terminology, an "Internal Network" is an isolated network with no outside connections; think of it as a virtual switch. You can basically create as many of these as you like by simply typing in a name in the relevant Adapter tab on the "Settings > Network" page for the VM.
  
  
• Make sure one of the Linux VM NICs is connected to the same "Internal Network" as the Windows VM. You should find the name you typed in previously available in the pulldown list.
  
  
• The 2nd NIC of the Linux VM should either be connected to a NAT network, or bridged to whatever interface on the host that has Internet connectivity.

With this setup, you should be able to ping the Linux VM from the Windows VM. You may have to disable the Windows firewall for pings to work in the opposite direction.

If you've configured the Windows host to use the Linux VM as its gateway, you should also be able to ping the IP of the other interface (on the Linux VM) from the Windows VM, regardless of whether routing is working on the Linux VM or not.

Once you've got this up and running you can start configuring routing (and possibly NAT, if required).

Quote:

Originally Posted by rmp5s The distro is Kali.

So the instructions in the article I linked should work for you as-is.

Alright, I went through following the guide posted earlier and made the recommended changes in VirtualBox and it's still not wanting to work. I'm not sure where the disconnect is. Again, I really appreciate the assistance!! Thank you, everyone!

Current setup:

W10 host...

Code:

Interface 1 = VM Adapter 1, "NAT Network 1"
IP:       192.168.4.12
Subnet:   /24
Gateway:  192.168.4.1

Linux host...

Code:

eth0 = VM Adapter 1, "NAT Network 1" - This is the NIC for the Windows host to use as its gateway.
IP:       192.168.4.1
Subnet:   /24
Gateway:  ??  (I actually don't know...I don't see it in ifconfig's output and the little "Network Connections" utility shows the gateway as "0.0.0.0"...so...??)

eth1 = VM Adapter 2, "NAT" - This is the WAN connection.
IP:       10.0.3.15
Subnet:   /24
Gateway:  ??

• Linux host can ping WAN (1.1.1.1)
• Windows host can NOT ping WAN
• Linux host can NOT ping windows host (192.168.4.12)
• Windows host CAN ping Linux host (192.168.4.1 NIC on Linux host, set as gateway in Windows host)

"ip route" output is as follows:

Code:

$ ip route
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100 
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100 
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.1

10.0.3.2 is VirtualBox's "NAT gateway". All that looks good to me. So...yea...I'm not sure why it's not working. It seems like a routing issue or something as I can only ping in one direction but, yup. Dunno. Ideas? Anything look out of place to any of you?

I thought I had it! lol I noticed the 10. via 192. route wasn't there! So I added it...still nothing. lol

Thought I had it...hahaha

"ip route" now reads:

Code:

$ ip route
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100 
10.0.3.0/24 via 192.168.4.1 dev eth0
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100 
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.1

I did notice though, when I do a "ip route add 192.168.4.0/24 via 10.0.3.15", it tells me "file already exists"...I don't see that in there, though. That's kinda confusing...

And "route -n" shows...

Code:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.3.2        0.0.0.0         UG    100    0        0 eth1
10.0.3.0        192.168.4.1     255.255.255.0   UG    0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     100    0        0 eth1
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Does that look right to you all? Shouldn't the "Gateway" for the 192.168.4.0 network be 10.0.3.2?...and, isn't the 10.0.3.0 -> 192.168.4.1 entry kinda backwards? Hmmm...

Did some more tinkering with the routes and, while this looks to me like it should work, it's still not.

Code:

$ route -n                                     
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.3.2        0.0.0.0         UG    100    0        0 eth1
10.0.3.0        192.168.4.1     255.255.255.0   UG    0      0        0 eth0
10.0.3.0        0.0.0.0         255.255.255.0   U     100    0        0 eth1
192.168.4.0     10.0.3.15       255.255.255.0   UG    0      0        0 eth1
 
$ ip route                                     
default via 10.0.3.2 dev eth1 proto dhcp src 10.0.3.15 metric 100 
10.0.3.0/24 via 192.168.4.1 dev eth0 
10.0.3.0/24 dev eth1 proto kernel scope link src 10.0.3.15 metric 100 
192.168.4.0/24 via 10.0.3.15 dev eth1

Quote:

Originally Posted by rmp5s Does that look right to you all?

No, it does not. You don't seem to fully understand the concepts of networks and gateways.

Your Linux router has the IP addresses 192.168.4.1/24 and 10.0.3.15/24. It will be able to reach hosts on both networks with no further configuration.

It should also have a (default) gateway defined. Note: That's a gateway. Not two or three.

A gateway is what a host uses in order to reach hosts outside of the network(s) to which it is directly connected. In this case, that would be the virtual router created by VirtualBox, which has the address 10.0.3.2.

Quote:

Originally Posted by rmp5s Shouldn't the "Gateway" for the 192.168.4.0 network be 10.0.3.2?

No, no, no.

The gateway for a host connected to network X must be a router that's also connected to network X. Think of it as a door providing an exit from a room: Obviously, the door must be fitted in one of the walls of that room; you can't leave room A using a door in room B. Likewise, the Windows host belonging to network 192.168.4.0/24 must have a gateway in that network.

You mentioned that you were able to ping from the Windows host to the Linux host (192.168.4.1). That means that part of the setup is fully working. The fact that the Windows host doesn't respond to pings is not all that important. If you try pinging from the Linux host and then run arp -an, you'll see that the Linux IP stack has indeed located the MAC address of the Windows PC's IP address.

If the Windows host has the correct gateway (192.168.4.1), you should also be able to ping 10.0.3.15 from Windows. However, you will NOT be able to ping 10.0.3.2, the reason being that the VirtualBox router has no idea how to reach the 192.168.4.0/24 network. In fact, it'll just forward the packet to the default gateway of the VirtualBox host.

AFAIK, there's no way to add a static route to the VirtualBox NAT router. Either you'll have switch to using a bridged network adapter and configure a static route on your actual Internet router, or you must configure the Linux router to NAT all outgoing traffic behind 10.0.3.15.

Quote:

AFAIK, there's no way to add a static route to the VirtualBox NAT router. Either you'll have switch to using a bridged network adapter and configure a static route on your actual Internet router, or you must configure the Linux router to NAT all outgoing traffic behind 10.0.3.15.

Hmmm...very interesting. I can indeed ping the Linux machine from the Windows machine AND ping the gateway. The Windows machines isn't pointed at the VirtualBox router/switch, though. Can't add routes there but I didn't think that would matter. The Windows machine is statically assigned to a different subnet and uses the Linux VM as its gateway and the Windows machine CAN in fact ping both NICs. (Pretty sure I tried to ping the Linux host from the Windows host before and it didn't work. Is now though. So. Who knows. Whatever. lol)

I just can't get the Linux machine to forward the traffic from the Windows machine out to the WAN. With IP forwarding turned on as shown in the guide that was mentioned earlier, I would think the Windows host would be able to ping the WAN through the Linux host...I thought that was kinda the whole point of that guide. Looking at it again, though, it does only show the two hosts pinging each other...it doesn't mention WAN access for either of them. Hmmm...

So, as a change of tac, maybe I'll just spin up Untangle or pfSense in a VM and make both VMs their own virtual network.

The idea being, I require two things out of the Windows machine: It must be isolated and I must be able to log all inbound and outbound traffic. There are lots of ways to do this...really thought it'd be as easy as throwing a couple static routes in the Linux VM and pointing the Windows VM at it. Guess not.

Quote:

Originally Posted by rmp5s I just can't get the Linux machine to forward the traffic from the Windows machine out to the WAN. With IP forwarding turned on as shown in the guide that was mentioned earlier, I would think the Windows host would be able to ping the WAN through the Linux host...

And it probably is able to reach the router on the WAN side, it's just that 10.0.3.2 doesn't know where to send the replies.

You can easily verify this. If your WAN interface is eth0, run tcpdump -i eth0 icmp and then ping a WAN address (or any external address) from the Windows VM. My guess is you'll see outgoing ICMP ping packets, but no replies.

Alright. Got stuff mostly working. Both the Windows host and the Linux host are on their own little network (ended up just using VirtalBox's "NAT Network", though I do thinkg the previously mentioned "Internal Network" mode could work as well), they have WAN access, they can see each other and I think I can use VirtualBox's "promiscuous mode" to get the traffic from the Windows host.

Getting there. lol

Thanks, everyone.

Came across this and it works PERFECTLY now!! The Kali machine is acting as a router for the Windows machine! Now, to sniff all traffic to/from the Windows machine, all I have to do is crank up Wireshark on the Kali NIC it's connected to and that's it! Awesome!

If anyone comes across this thread in the future, I was so close but Masquerading was the last piece of the puzzle!

Thanks, everyone.