Network isolation and Internet connectivity using physical network devices

In my current home network environment, my router connects all devices to the Internet. Here is the current situation and the planned configuration.

1. Current situation with discretionary router

Current home network configuration

In most homes, Internet access is provided by a single router. This router is provided by the Internet provider and performs the following functions

  • Providing Internet connectivity: The router connects to the Internet and makes the Internet available throughout the home.
  • Providing a WiFi network: The router sends out a WiFi signal to which smartphones, tablets, laptops, etc. connect.
  • Functioning as a DHCP server: The router assigns an IP address to each device.
Home Network Configuration
 
           (Internet)
                | [ISP router
           [ISP Router]
                | [ISP Router
          (WiFi Network)
                | [ISP Router
        [All devices in the home]

So we decided to separate the networks. We had separated them before, but it was too much trouble and we did not do it. We decided to take this opportunity to review our settings. Most laptops have wifi and wired physical networks, so we will use these.

2. Reasons for Network Separation

Why separate the networks?

There are several reasons to separate networks. Here are the main reasons

  • Improved security: Separating the network into different segments reduces unauthorized access and security risks.
  • Improved Performance: Separating the network for different devices and uses allows for more efficient management of traffic and improved performance.
  • Ease of management: For large networks or for specific services (e.g., PXE boot), separating the networks makes them easier to manage.

3. New Network Configuration Description

New Network Configuration

The new network configuration provides a higher level of network management by separating the internal network into separate segments, rather than leaving it up to the router.

Network Configuration
 
           (Internet)
                | [ISP router
           [ISP Router]
           (192.168.0.1)
                | [ISP Router] (192.168.0.1)
         (WiFi: 192.168.0.0/24)
          / Backslash
  [WiFi devices] [Laptop/router]
                        (WiFi: 192.168.0.2)
                        (Wired: 10.0.0.1)
                                | (internal network: 10.0.0.1)
                (Internal network: 10.0.0.0/24)
                                |(Internal network: 10.0.0.0/24)
                           [Hub/Switch]
                           | [PC1] [PC2] [PC3] [PC4] [PC5] [PC6
                     [PC1] [PC2] [PC3]
                (10.0.0.50-150)
  • ISP Router: 192.168.0.1 to manage WiFi network.
  • Laptop/Router: 192.168.0.2 to connect to WiFi network, 10.0.0.1 to manage internal network.
  • Internal network: 10.0.0.0/24 segments to manage wired devices (PC1, PC2, PC3).

4. Advantages of the new network configuration

Advantages of the new network configuration

  • Security: Isolates the internal network from the outside world and prevents unauthorized access.
  • Efficiency: Isolate network traffic and improve network efficiency.
  • Flexibility: Additional servers (e.g., PXE servers) and services can be easily integrated.

This new network configuration improves the security and performance of the home network and allows for flexible management for specific applications. We previously attempted a network installation with a PXE server. However, the DHCP server on the router and the new DHCP server set up on the PC would conflict within the same network, resulting in incorrect IP address assignment and a failed installation. This is another reason to separate them.

We installed a new Ubuntu 24.04 Server on the laptop. In addition, I installed Docker; a check of the IP address status shows the following: IP addresses are assigned by the router for both wifi and wired. Additionally, with Docker installed, when I run the ip a command, I see the new Docker network interface.

1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00 brd 00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether f0:76:1c:88:14:76 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.106/24 metric 100 brd 192.168.0.255 scope global dynamic enp1s0
valid_lft 373sec preferred_lft 373sec
inet6 fe80::f276:1cff:fe88:1476/64 scope link
valid_lft forever preferred_lft forever
3: wlp2s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:b5:7d:87:8e:90 brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.0.107/24 metric 600 brd 192.168.0.255 scope global dynamic dynamic wlp2s0
valid_lft 4081sec preferred_lft 4081sec
inet6 fe80::aeb5:7dff:fe87:8e90/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:31:4a:6a:92 brd ff:ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever

The system has multiple network interfaces, each with a different IP address. These IP addresses are assigned dynamically by the router or DHCP server.

First, the lo interface is a loopback interface. It is used to communicate with itself within the system and is always assigned the IP address 127.0.0.1.

Next, the enp1s0 interface is the wired network interface, which is assigned the IP address 192.168.0.106. This is within the range of private IP addresses typically used in home and small office networks.

The wlp2s0 interface is a wireless network interface that is assigned the IP address 192.168.0.107. This is also within the same private IP address range and is for wireless connections.

In addition, the docker0 interface is a virtual network interface created by Docker; it is assigned the IP address 172.17.0.1, which is used for communication between Docker containers.

Ubuntu network settings are managed differently in different versions. In recent versions of Ubuntu, the /etc/network/interfaces file is not used, but instead a tool called Netplan is used.

Netplan configuration files are usually located in the following directory

  • /etc/netplan/

In this directory, there are files with a .yaml extension . For example, a file with a name like 01-netcfg.yaml is common. Actually, we found a file named 50-cloud-init.yaml, which looks like the following. In this configuration, both the enp1s0 andwlp2s0 interfaces use DHCP to obtain IP addresses.

sudo cat 50-cloud-init.yaml


# This file is generated from information provided by the datasource. changes.
# to it will not persist across an instance reboot. To disable cloud-init’s
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: config: network: cfg: cfg: network: cfg: cfg: cfg
# network: {config: disabled}
network: {config: disabled}
ethernets: {config: disabled} network: {config: disabled
enp1s0: true
dhcp4: true
version: 2
wifis: wlp2s0: wlp2s0: wlp2s0
wlp2s0: access-points
access-points: true
TP-Link_6BEB: password: ‘123456789’
password: ‘123456789’
dhcp4: true

To avoid configuration confusion, we will describe the specific scenario in a bit more detail.

Scenario Description

  1. Server PC plays the role of router
    • Server PC assigns IP addresses to other devices on the network and provides Internet access.
    • The server PC sets up a static IP address on its own wired interface.
  2. Client PC
    • Designate the server PC as the gateway.

Server PC Configuration Example

If the server PC (notebook PC) is assigned the fixed IP address 10.0.0.1 and other client PCs use this IP address as a gateway, the Netplan settings for the server PC are as follows

network: 
version: 2
ethernets:
enp1s0:
addresses:
- 10.0.0.1/24
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
wifis:
wlp2s0:
access-points:
TP-Link_6 BEB:
password: '123456789'
dhcp4: true

Configuration example for a client PC

If the client PC uses the server PC as a gateway, an example of Netplan configuration for the client PC is as follows

network: 
version: 2
ethernets:
enp1s0:
addresses:
- 10.0.0.100/24
gateway4: 10.0.0.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4

Important points

  • IP address of the server PC: Assign 10.0.0.1 to the wired interface of the server PC.
  • Client PC IP address: Assign a different IP address (e.g., 10.0.0.100) to the client PC and set the gateway to 10.0.0.1.
  • Role of the Server PC: The Server PC acts as a router and DHCP server, assigning IP addresses to other devices and managing network connections.

After editing the file, there is no need to reboot the PC or restart the service. However, you will need to apply the Netplan settings. After saving the configuration file, run the following command to apply the changes
sudo netplan apply

Applying the Netplan settings will temporarily reconfigure the network, which may cause SSH connections to be dropped. Then display the IP information again to see if it has changed. The wired side is now as described below.

1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether f0:76:1c:88:14:76 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::f276:1cff:fe88:1476/64 scope link
valid_lft forever preferred_lft forever
3: wlp2s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:b5:7d:87:8e:90 brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.0.107/24 metric 600 brd 192.168.0.255 scope global dynamic dynamic wlp2s0
valid_lft 4571sec preferred_lft 4571sec
inet6 fe80::aeb5:7dff:fe87:8e90/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:31:4a:6a:92 brd ff:ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever

In addition, IP forwarding must be enabled and NAT must be configured for the server PC to provide Internet connectivity to the client. By doing this, the server PC acts as a router for the client PCs.

Description of IP Forwarding and NAT Settings

1. IP Forwarding (net.ipv4.ip_forward=1 )

IP forwarding is the ability to forward packets received from one network interface to another network interface. By enabling it, the server PC acts as a router, allowing other devices in the network to access the Internet.

IP Forwarding
enp1s0
10.0.0.1
IP Forwarding
↑ IP Forwarding
wlp2s0
192.168.0.2
Configuration Method:
  • Enable temporarily:
    sudo sysctl -w net.ipv4.ip_forward=1
  • To enable permanently, add the following line to the /etc/sysctl.conf file
    net.ipv4.ip_forward=1

With this configuration, the server PC will be ready to forward traffic for other devices in the network.

2. NAT Configuration ( using iptables )

NAT (Network Address Translation) is a technology that allows devices in a private network to access the Internet. NAT allows devices in a private network to communicate with the Internet by translating their private IP addresses into public IP addresses.

NAT Explanation
Device (smartphone, PC)
Private IP: 192.168.0.2
↓ (for a device)
Router
Private IP: 192.168.0.1
Public IP: 203.0.113.1
↓↓↓↓↓↓↓
Internet
Communicate over public IP

Of course, NAT can also translate a private address into another private address. This is sometimes called “NAT within the local network” or “Internal NAT”.

Internal NAT Explanation
Internal Network A
Private IP: 10.0.0.2
↓↓ (for the first time)
Router
NAT conversion
10.0.0.2 → 192.168.0.100
↓↓
Internal network B
Private IP: 192.168.0.100

What we are actually trying to do is illustrated in the following figure: NAT can not only translate between different private addresses, but also translate them to a final public IP address and connect to the Internet. The figure illustrates the flow of NAT translation between different private addresses and then translating them to a public IP address to connect to the Internet.

Configuration method:

Command to configure NAT:
sudo iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE

  • t nat: Specifies that NAT tables are to be used.
  • A POSTROUTING: Specifies that packets are processed after they are routed.
  • o wlp2s0: specifies the network interface to which this rule is applied (in this case, the Wi-Fi interface).
  • j MASQUERADE: Change the source address of the packet so that it has the correct address when it leaves the Internet.

NAT settings for a specific subnet:
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wlp2s0 -j MASQUERADE

  • s 10.0.0.0/24: Specify the source address range to which this rule is applied. Here, the 10.0.0.0/24 subnet is specified.

Configuration persistence:

The iptables configuration is reset after a reboot, so the configuration must be made persistent.

  1. Install package:
    sudo apt-get install iptables-persistent
  2. Save the configuration:
    sudo netfilter-persistent save

Now the NAT settings will be persistent even if the server PC is rebooted, and devices in the network will always be able to access the Internet.

Network Diagram
(Internet) | [ISP router [ISP Router] (192.168.0.1) | [ISP Router] (192.168.0.1) (WiFi: 192.168.0.0/24) / Backslash [WiFi devices] [Laptop/router] (WiFi: 192.168.0.2) | [WiFi: 192.168.0.0.2 Using IP forwarding and NAT | [WiFi devices] (WiFi: 192.168.0.2) (Wired: 10.0.0.1) | (Wired: 10.0.0.1) (Internal network: 10.0.0.0/24) |(Internal network: 10.0.0.0/24) [Hub/Switch] | [PC1] [PC2] [PC3] [PC4] [PC5] [PC6 [PC1] [PC2] [PC3] (10.0.0.50-150)
  • A laptop acting as a laptop/router is connected to an ISP router through WiFi (192.168.0.2).
  • The laptop uses the wired interface (10.0.0.1) to manage its internal network (10.0.0.0/24).
  • With IP forwarding configured, the laptop will forward traffic received from PC1, PC2, and PC3 on the internal network (10.0.0.0/24) to the Internet through the WiFi interface.
  • ***NAT (Network Address Translation) ** configuration allows devices in the internal network to access the Internet using private IP addresses (10.0.0.0/24). The laptop translates these private IP addresses to public IP addresses (192.168.0.2) and sends them to the ISP router.

This configuration will allow all devices in the internal network (10.0.0.0/24) to access the Internet, which we will check on the Windows PC. Follow the steps below to check the network settings on the client PC to ensure that the correct settings are applied.

Check the network settings of the Windows client PC

  1. Check the network adapter settings:
    • From “Network and Sharing Center,” click on “Change Adapter Settings.
    • Right click on the network adapter you are using and select “Properties”.
    • Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.
    • Verify that the following information is entered correctly
      • IP address: 10.0.0.6
      • Subnet mask: 255.255.255.0
      • Default Gateway: 10.0.0.1
      • Preferred DNS Server: 8.8.8.8
      • Alternate DNS Server: 8.8.4.4

However, when I open the page in my browser, there is no response; when I check with the PING command, there is a connection to the default gateway, but no connection to the Internet. It appears that I need to configure the filtering rules for the FORWARD chain. The goal here is to allow traffic from the internal network and forward the connection to the Internet properly.

Impact of not allowing traffic on loopback interface

One possible reason why you could not connect to the Internet after setting up IP forwarding and NAT is that you are not allowing traffic on the loopback interface.

What is a loopback interface?

A loopback interface (lo) is a virtual network interface for sending data to the computer itself. It usually has an IP address of 127.0.0.1. This interface is used by the computer to access itself over the network.

Allow traffic on the loopback interface

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
  • A INPUT -i lo -j ACCEPT: Allow all incoming traffic from the loopback interface.
  • A OUTPUT -o lo -j ACCEPT: Allow all outgoing traffic to the loopback interface.
  1. Internal Network: A
    • A device with a private IP address (10.0.0.2) is connected.
    • Traffic from this device is sent to the Ubuntu PC.
  2. Ubuntu PC:.
    • Running IP forwarding and NAT.
    • 10.0.0.2 to 192.168.0.2.
    • **Loopback interface (127.0.0.1)** is used for communication between internal processes.
    • If traffic on the loopback interface is not allowed, communication between internal processes may be prevented and NAT and forwarding may not function properly.
  3. Internet:.
    • Finally, it is converted to a public IP address and connected to the Internet.

Why is loopback important?

Not allowing traffic on the loopback interface can cause the following problems

  1. Access to local services: Many network services are accessed via the loopback interface and will not function properly if this traffic is blocked.
  2. NAT and forwarding issues: Even if IP forwarding and NAT are configured correctly, if traffic is not allowed on the loopback interface, communication between internal processes may be blocked, thus inhibiting connection to the Internet.

Specific Examples of Impact

For example, if traffic from an internal network (10.0.0.0/24) is sent to an external network (Internet) through NAT, the following situations may occur if the loopback interface is not working properly

  • DNS resolver problem: If DNS queries are processed through the loopback, it will not work and will not be able to resolve domain names on the Internet.
  • Communication failure of internal processes: Internal processes via loopback cannot communicate, so internal processing required for NAT and forwarding does not work properly, resulting in a failed connection to the Internet.

It is also necessary to allow traffic from the internal network

Significance of Allowing Traffic from Internal Networks

Controlling traffic is important for the secure and efficient operation of a network. This section discusses the reasons for allowing traffic from the internal network.

1. Allow communication between internal and external networks

In order for devices on an internal network (e.g., a company or home network) to access an external network (the Internet), it is necessary to allow that traffic to go outside.

  • Example: When a PC in the home accesses a website on the Internet, the request (traffic) from the PC first goes through the router and then out to the Internet. If the router does not allow traffic from the internal network to the external network, the request from the PC will not reach the outside world.

2. Network Security and Management

Properly controlling traffic can increase network security. Explicitly setting rules to allow traffic from the internal network can prevent unwanted traffic and keep the network secure.

  • Example: In an enterprise network, it is common to allow traffic from the inside to the outside while allowing traffic from the outside to the inside only based on specific conditions (e.g., in response to an already established connection). This is to prevent unauthorized access.

3. Optimizing Network Performance

Network performance can be optimized by allowing traffic appropriately. For example, specific rules can be set to prioritize important traffic and avoid network congestion.

  • Example: configuring streaming services or video conferencing traffic to be prioritized will ensure that these services run smoothly.
 # Allow traffic from internal network
sudo iptables -A FORWARD -i enp1s0 -o wlp2s0 -s 10.0.0.0/24 -j ACCEPT

# Allow response traffic from the Internet
sudo iptables -A FORWARD -i wlp2s0 -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Explanation: These settings allow communication from the internal network to the Internet and allow related traffic from the Internet.

  • A FORWARD -i enp1s0 -o wlp2s0 -s 10.0.0.0/24 -j ACCEPT:
    • A: Add a new rule.
    • FORWARD: Add to the forward chain.
    • i enp1s0: Target traffic whose input interface is enp1s0 (internal network interface).
    • o wlp2s0: Target traffic whose output interface is wlp2s0 (Internet interface).
    • s 10.0.0.0/24: Target traffic whose source address is in the 10.0.0.0/24 network.
    • j ACCEPT: Allow the corresponding traffic.
  • A FORWARD -i wlp2s0 -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT:
    • A: Add a new rule.
    • FORWARD: Add to the forward chain.
    • i wlp2s0: Target traffic whose input interface is wlp2s0 (Internet interface).
    • o enp1s0: Target traffic whose output interface is enp1s0 (internal network interface).
    • m state --state ESTABLISHED,RELATED: Target traffic for connections that have already been established or related.
    • j ACCEPT: allow the relevant traffic.

Set default policy to drop

sudo iptables -P FORWARD DROP

DESCRIPTION: Sets the default policy to drop all traffic not explicitly allowed. Doing so blocks unwanted traffic and enhances security.

  • P FORWARD DROP:.
    • P: Sets the default policy.
    • FORWARD: Set for forward chain.
    • DROP: Drop all traffic not explicitly allowed.

These settings allow Internet access from the internal network and block unwanted traffic. Traffic on the loopback interface is also allowed, so the computer itself is not disturbed. I checked again on the Windows PC and this time it worked. When I could not connect, it seems that the default policy for the FORWARD chain in the iptables configuration was set to DROP, which was blocking forwarded packets. Therefore, appropriate filtering rules had to be added to allow traffic from the internal network.

To view the current iptables rules in detail, enter the following command. The contents of this display are after entering the above command and allowing traffic.

sudo iptables -L -v -n

Chain INPUT (policy ACCEPT 34639 packets, 13M bytes)
pkts bytes target prot opt in out source destination
2710 231K ACCEPT 0 — lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18824 13M DOCKER-USER 0 — * * 0.0.0.0/0 0.0.0.0/0
18824 13M DOCKER-ISOLATION-STAGE-1 0 — * * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 — * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — docker0 docker0 0.0.0.0/0 0.0.0.0/0
5928 1927K ACCEPT 0 — enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
11727 11M ACCEPT 0 — wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 28157 packets, 14M bytes)
pkts bytes target prot opt in out source destination
2632 224K ACCEPT 0 — * lo 0.0.0.0/0 0.0.0.0/0

Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 — docker0 !docker0 0.0.0.0/0 0.0.0.0/0
18825 13M RETURN 0 — * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 — * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 — * * * 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
18842 13M RETURN 0 — * * * 0.0.0.0/0 0.0.0.0/0

Basic information

The output of the command sudo iptables -L -v -n details the current iptables rules.- L is for list view, -v is for detailed view, and -n is an option to display IP addresses without resolving hostnames.

Overall Structure

The output is divided into three main chains (INPUT, FORWARD, and OUTPUT ) and several chains, including one added by Docker. Each chain has a set of rules that determine how packets are processed.

Chain INPUT

  • Description: The INPUT chain handles all traffic coming into the system.
Chain INPUT (policy ACCEPT 34639 packets, 13M bytes) 
pkts bytes target prot opt in out source destination
2710 231K ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
  • policy ACCEPT: By default, all incoming traffic is allowed.
  • 2710 packets, 231K bytes: Allow packets from the loopback interface ( lo). This will allow traffic that the system itself sends to itself (e.g., traffic to localhost ).

Chain FORWARD

  • Explanation: The FORWARD chain handles traffic passing through the system via other network interfaces.
Chain FORWARD (policy DROP 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination
18824 13M DOCKER-USER 0 -- * * 0.0.0/0 0.0.0/0
18824 13M DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0/0 0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0/0 0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0/0 0.0.0/0
5928 1927K ACCEPT 0 -- enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
11727 11M ACCEPT 0 -- wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  • policy DROP: By default, all forwarded traffic is denied.
  • 18824 packets, 13M bytes: send packets to the DOCKER-USER chain and the DOCKER-ISOLATION-STAGE-1 chain.
  • 0 packets, 0 bytes: process the packet in the Docker-associated chain.
  • 5928 packets, 1927K bytes: allow traffic on the 10.0.0.0/24 subnet from enp1s0 towlp2s0.
  • 11727 packets, 11M bytes: allow associated traffic from wlp2s0 toenp1s0.

Chain OUTPUT

  • Explanation: The OUTPUT chain handles all traffic going out of the system.
Chain OUTPUT (policy ACCEPT 28157 packets, 14M bytes) 
pkts bytes target prot opt in out source destination
2632 224K ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
  • policy ACCEPT: By default, all output traffic is allowed.
  • 2632 packets, 224K bytes: Allow packets to the loopback interface ( lo).

Docker Related Chains

  • description: chain automatically generated by Docker to handle traffic between Docker containers
Chain DOCKER (1 references) 
pkts bytes target prot opt in out source destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0/0 0.0.0/0
18825 13M RETURN 0 -- * * 0.0.0/0 0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0/0 0.0.0/0
0 0 RETURN 0 -- * * 0 .0.0.0/0 0.0.0/0

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
18842 13M RETURN 0 -- * * 0.0.0/0 0.0.0/0
  • Chain DOCKER: A chain with specific Docker rules.
  • Chain DOCKER-ISOLATION-STAGE-1: Chain for isolating traffic between Docker networks.
  • Chain DOCKER-ISOLATION-STAGE-2: Further traffic isolation.
  • Chain DOCKER-USER: Chain for handling user-defined Docker rules.

Since we are at this point, we will also enter the NAT details in the command line and check that they are configured correctly.

sudo iptables -t nat -L -v -n

Chain PREROUTING (policy ACCEPT 8218 packets, 1816K bytes)
pkts bytes target prot opt in out source destination
6 336 DOCKER 0 — * * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 4650 packets, 1403K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 338 packets, 31300 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 — * * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 142 packets, 10716 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 — * !docker0 172.17.0.0/16 0.0.0.0/0
624 85361 MASQUERADE 0 — * wlp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE 0 — * wlp2s0 10.0.0.0/24 0.0.0.0/0

Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 — docker0 * 0.0.0.0/0 0.0.0.0/0

Basic Information

This command details the rules of the NAT table.- t nat specifies the NAT table, -L is a list view, -v is a detailed view, and -n is an option to display IP addresses without resolving host names.

Overall Structure

The output is divided into four main chains (PREROUTING, INPUT, OUTPUT, and POSTROUTING ) and a chain added by Docker (DOCKER). Each chain has rules that determine how packets are processed.

Chain PREROUTING

  • Description: The PREROUTING chain defines the rules that are applied before a packet is routed.
Chain PREROUTING (policy ACCEPT 8218 packets, 1816K bytes) 
pkts bytes target prot opt in out source destination
6 336 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
  • policy ACCEPT: By default, all incoming traffic is allowed.
  • 6 packets, 336 bytes: Send packets to the DOCKER chain. This rule passes packets whose destination is a local address (i.e., the IP address of this machine) to the Docker chain.

Chain INPUT

  • Description: The INPUT chain handles all traffic coming into the system.
Chain INPUT (policy ACCEPT 4650 packets, 1403K bytes) 
pkts bytes target prot opt in out source destination
  • policy ACCEPT: By default, all incoming traffic is allowed. No specific rules are set for this chain.

Chain OUTPUT

  • DESCRIPTION: The OUTPUT chain handles all traffic going out of the system.
Chain OUTPUT (policy ACCEPT 338 packets, 31300 bytes) 
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
  • policy ACCEPT: By default, all output traffic is allowed.
  • 0 packets, 0 bytes: Send packets up the DOCKER chain. This rule passes packets destined for local addresses other than 127.0.0.0/8 (loopback address) to the Docker chain.

Chain POSTROUTING

  • Description: The POSTROUTING chain defines rules that are applied after packets are routed.
Chain POSTROUTING (policy ACCEPT 142 packets, 10716 bytes) 
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * !docker0 172.17.0.0/ 16 0.0.0.0/0
624 85361 MASQUERADE 0 -- * wlp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE 0 -- * wlp2s0 10.0.0.0/24 0.0.0.0/0
  • policy ACCEPT: by default, all post-processing traffic is allowed.
  • 0 packets, 0 bytes: Masquerade packets from the 172.17.0.0/16 network to interfaces other than docker0. Masquerading translates the source IP address to the IP address of the interface.
  • 624 packets, 85361 bytes: Masquerades all packets going through the wlp2s0 interface.
  • 0 packets, 0 bytes: Masquerades packets from the 10.0.0.0/24 network to the wlp2s0 interface.

Chain DOCKER

  • description: The DOCKER chain is a chain automatically generated by Docker to handle traffic between Docker containers.
Chain DOCKER (2 references) 
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
  • 0 packets, 0 bytes: returns packets going through the docker0 interface. This is a rule to allow traffic between Docker containers.

Important Summary

Command to display current iptables rules

1. POSTROUTING chain of nat tables

sudo iptables -t nat -L POSTROUTING -v -n
  • This command displays the rules added to the POSTROUTING chain for the nat table. Now verify that the MASQUERADE rule has been added correctly.

2. INPUT, OUTPUT, and FORWARD chains in the filter table

sudo iptables -L INPUT -v -n 
sudo iptables -L OUTPUT -v -n
sudo iptables -L FORWARD -v -n
  • These commands show the rules added to each chain. Verify that the rules for allowing traffic on the loopback interface (INPUT and OUTPUT ), allowing traffic from the internal network (FORWARD), and allowing response traffic from the Internet (FORWARD) have been added correctly.

How to check all rules at once

To check the entire set of rules at once, run the following command to verify that all rules are set correctly.

# Check the POSTROUTING chain in the NAT table 
sudo iptables -t nat -L POSTROUTING -v -n

# Check the INPUT chain in the filter table
sudo iptables -L INPUT -v -n

# Check the OUTPUT chain in the filter table
sudo iptables -L OUTPUT -v -n

# Check FORWARD chain for filter table
sudo iptables -L FORWARD -v -n

Run these commands to verify that the rules you have configured are being applied correctly.

Example of expected output

POSTROUTING chain of nat tables

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * wlp2s0 0.0.0.0/0 0.0.0.0/ 0
0 0 MASQUERADE all -- * wlp2s0 10.0.0.0/24 0.0.0.0/0

INPUT chain of filter tables

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

OUTPUT chain of filter tables

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

FORWARD chain in filter table

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

By checking these outputs, you can verify that the configured rules have been added correctly.

https://github.com/superdoccimo/notepc

Please share if you like it!
TOC