Difference between revisions of "Dnsmasq TestNetwork"
Jump to navigation
Jump to search
(3 intermediate revisions by the same user not shown) | |||
Line 98: | Line 98: | ||
systemclt restart dnsmasq | systemclt restart dnsmasq | ||
``` | ``` | ||
+ | |||
+ | Install nftables | ||
+ | ``` | ||
+ | apt update && apt install nftables | ||
+ | ``` | ||
+ | |||
+ | /etc/nftables.conf | ||
+ | ``` | ||
+ | #!/usr/sbin/nft -f | ||
+ | |||
+ | flush ruleset | ||
+ | |||
+ | table inet filter { | ||
+ | chain input { | ||
+ | type filter hook input priority 0; | ||
+ | } | ||
+ | chain forward { | ||
+ | type filter hook forward priority 0; | ||
+ | } | ||
+ | chain output { | ||
+ | type filter hook output priority 0; | ||
+ | } | ||
+ | } | ||
+ | |||
+ | # NAT | ||
+ | table ip nat { | ||
+ | chain prerouting { | ||
+ | type nat hook prerouting priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | # for all packets to WAN, after routing, replace source address with primary IP of WAN interface | ||
+ | chain postrouting { | ||
+ | type nat hook postrouting priority 100; policy accept; | ||
+ | oifname "eth0" masquerade | ||
+ | } | ||
+ | } | ||
+ | ``` | ||
+ | |||
+ | ``` | ||
+ | apt install bind9 | ||
+ | ``` | ||
+ | |||
+ | /etc/bind/named.conf.options | ||
+ | ``` | ||
+ | // https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 | ||
+ | // https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_05.htm | ||
+ | // https://kb.isc.org/docs/aa-00851 | ||
+ | acl goodclients { | ||
+ | 192.0.200.0/24; | ||
+ | localhost; | ||
+ | localnets; | ||
+ | }; | ||
+ | |||
+ | options { | ||
+ | directory "/var/cache/bind"; | ||
+ | recursion yes; | ||
+ | allow-query { goodclients; }; | ||
+ | |||
+ | forwarders { | ||
+ | 10.1.1.1; | ||
+ | }; | ||
+ | forward only; | ||
+ | |||
+ | auth-nxdomain no; # conform to RFC1035 | ||
+ | |||
+ | dnssec-enable yes; | ||
+ | dnssec-validation yes; | ||
+ | // dnssec-validation auto; | ||
+ | |||
+ | listen-on-v6 { any; }; | ||
+ | }; | ||
+ | ``` | ||
+ | |||
Sniff traffic if wanted | Sniff traffic if wanted |
Latest revision as of 19:25, 10 October 2020
Add a bridge on host for private network communications
ip link add name j type bridge ip link set j up
lxc profile copy default jclients # Then edit eth0 like below
config: {} description: Test j dhcp clients devices: eth0: nictype: bridged parent: j type: nic root: path: / pool: dir type: disk name: jclients
lxc profile copy default jfw # Then edit to add eth1 like below
config: {} description: Test j firewall with 2 nics devices: eth0: nictype: bridged parent: lxdbr0 type: nic eth1: nictype: bridged parent: j type: nic root: path: / pool: dir type: disk name: jfw
Create containers
lxc launch ubuntu:20.04 jfw -p jfw lxc launch ubuntu:20.04 jclient1 -p jclients
Disable resolved
sudo systemctl disable systemd-resolved.service sudo systemctl stop systemd-resolved rm /etc/resolv.conf echo "nameserver <mynamserver>" > /etc/resolv.conf
/etc/netplan/50-cloud-init.yaml
network: version: 2 ethernets: eth0: dhcp4: true eth1: dhcp4: no dhcp6: true addresses: [ 192.168.200.1/24 ]
apt install dnsmasq
/etc/dnsmasq.conf
dhcp-option=15,"test.uvoo.io" domain=test.uvoo.io cache-size=10000 # df 150 except-interface=eth0 bind-interfaces expand-hosts dns-forward-max=1100 dhcp-option=3,0.0.0.0 dhcp-option=6,0.0.0.0 dhcp-range=eth1,192.168.200.100,192.168.200.200,12h # You don't need to specify interface as it should pick it up from int ip dhcp-host=74:46:a0:92:5a:76,192.168.200.11 # lxd eno1 address=/jclientstatic.uvoo.io/192.168.200.11 address=/host1.jtest.io/192.168.200.12 ptr-record=12.200.168.192.in-addr.arpa.,"host1.jtest.io"
dnsmasq --test
restart service
systemclt restart dnsmasq
Install nftables
apt update && apt install nftables
/etc/nftables.conf
#!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" masquerade } }
apt install bind9
/etc/bind/named.conf.options
// https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 // https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_05.htm // https://kb.isc.org/docs/aa-00851 acl goodclients { 192.0.200.0/24; localhost; localnets; }; options { directory "/var/cache/bind"; recursion yes; allow-query { goodclients; }; forwarders { 10.1.1.1; }; forward only; auth-nxdomain no; # conform to RFC1035 dnssec-enable yes; dnssec-validation yes; // dnssec-validation auto; listen-on-v6 { any; }; };
Sniff traffic if wanted
sudo tcpdump -nnpli j
Alternate container create/apply
lxc init ubuntu:20.04 jfw lxc init ubuntu:20.04 jclient1 lxc profile apply jfw jfw lxc profile apply jclient1 jclients
Start containers
lxc start jfw lxc start jclient1