In my current home network environment, my router connects all devices to the Internet. Here is the current situation and the planned configuration.
1. Current situation with discretionary router
Current home network configuration
In most homes, Internet access is provided by a single router. This router is provided by the Internet provider and performs the following functions
- Providing Internet connectivity: The router connects to the Internet and makes the Internet available throughout the home.
- Providing a WiFi network: The router sends out a WiFi signal to which smartphones, tablets, laptops, etc. connect.
- Functioning as a DHCP server: The router assigns an IP address to each device.
(Internet) | [ISP router [ISP Router] | [ISP Router (WiFi Network) | [ISP Router [All devices in the home]
So we decided to separate the networks. We had separated them before, but it was too much trouble and we did not do it. We decided to take this opportunity to review our settings. Most laptops have wifi and wired physical networks, so we will use these.
2. Reasons for Network Separation
Why separate the networks?
There are several reasons to separate networks. Here are the main reasons
- Improved security: Separating the network into different segments reduces unauthorized access and security risks.
- Improved Performance: Separating the network for different devices and uses allows for more efficient management of traffic and improved performance.
- Ease of management: For large networks or for specific services (e.g., PXE boot), separating the networks makes them easier to manage.
3. New Network Configuration Description
New Network Configuration
The new network configuration provides a higher level of network management by separating the internal network into separate segments, rather than leaving it up to the router.
(Internet) | [ISP router [ISP Router] (192.168.0.1) | [ISP Router] (192.168.0.1) (WiFi: 192.168.0.0/24) / Backslash [WiFi devices] [Laptop/router] (WiFi: 192.168.0.2) (Wired: 10.0.0.1) | (internal network: 10.0.0.1) (Internal network: 10.0.0.0/24) |(Internal network: 10.0.0.0/24) [Hub/Switch] | [PC1] [PC2] [PC3] [PC4] [PC5] [PC6 [PC1] [PC2] [PC3] (10.0.0.50-150)
- ISP Router: 192.168.0.1 to manage WiFi network.
- Laptop/Router: 192.168.0.2 to connect to WiFi network, 10.0.0.1 to manage internal network.
- Internal network: 10.0.0.0/24 segments to manage wired devices (PC1, PC2, PC3).
4. Advantages of the new network configuration
Advantages of the new network configuration
- Security: Isolates the internal network from the outside world and prevents unauthorized access.
- Efficiency: Isolate network traffic and improve network efficiency.
- Flexibility: Additional servers (e.g., PXE servers) and services can be easily integrated.
This new network configuration improves the security and performance of the home network and allows for flexible management for specific applications. We previously attempted a network installation with a PXE server. However, the DHCP server on the router and the new DHCP server set up on the PC would conflict within the same network, resulting in incorrect IP address assignment and a failed installation. This is another reason to separate them.
We installed a new Ubuntu 24.04 Server on the laptop. In addition, I installed Docker; a check of the IP address status shows the following: IP addresses are assigned by the router for both wifi and wired. Additionally, with Docker installed, when I run the ip a
command, I see the new Docker network interface.
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00 brd 00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether f0:76:1c:88:14:76 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.106/24 metric 100 brd 192.168.0.255 scope global dynamic enp1s0
valid_lft 373sec preferred_lft 373sec
inet6 fe80::f276:1cff:fe88:1476/64 scope link
valid_lft forever preferred_lft forever
3: wlp2s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:b5:7d:87:8e:90 brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.0.107/24 metric 600 brd 192.168.0.255 scope global dynamic dynamic wlp2s0
valid_lft 4081sec preferred_lft 4081sec
inet6 fe80::aeb5:7dff:fe87:8e90/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:31:4a:6a:92 brd ff:ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
The system has multiple network interfaces, each with a different IP address. These IP addresses are assigned dynamically by the router or DHCP server.
First, the lo
interface is a loopback interface. It is used to communicate with itself within the system and is always assigned the IP address 127.0.0.1.
Next, the enp1s0
interface is the wired network interface, which is assigned the IP address 192.168.0.106. This is within the range of private IP addresses typically used in home and small office networks.
The wlp2s0
interface is a wireless network interface that is assigned the IP address 192.168.0.107. This is also within the same private IP address range and is for wireless connections.
In addition, the docker0
interface is a virtual network interface created by Docker; it is assigned the IP address 172.17.0.1, which is used for communication between Docker containers.
Ubuntu network settings are managed differently in different versions. In recent versions of Ubuntu, the /etc/network/interfaces
file is not used, but instead a tool called Netplan is used.
Netplan configuration files are usually located in the following directory
/etc/netplan/
In this directory, there are files with a .yaml
extension .
For example, a file with a name like 01-netcfg.yaml
is common. Actually, we found a file named 50-cloud-init.yaml, which looks like the following. In this configuration, both the enp1s0 and
wlp2s0
interfaces use DHCP to obtain IP addresses.
sudo cat 50-cloud-init.yaml
# This file is generated from information provided by the datasource. changes.
# to it will not persist across an instance reboot. To disable cloud-init’s
# network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following: # network: {config: config: network: cfg: cfg: network: cfg: cfg: cfg
# network: {config: disabled}
network: {config: disabled}
ethernets: {config: disabled} network: {config: disabled
enp1s0: true
dhcp4: true
version: 2
wifis: wlp2s0: wlp2s0: wlp2s0
wlp2s0: access-points
access-points: true
TP-Link_6BEB: password: ‘123456789’
password: ‘123456789’
dhcp4: true
To avoid configuration confusion, we will describe the specific scenario in a bit more detail.
Scenario Description
- Server PC plays the role of router
- Server PC assigns IP addresses to other devices on the network and provides Internet access.
- The server PC sets up a static IP address on its own wired interface.
- Client PC
- Designate the server PC as the gateway.
Server PC Configuration Example
If the server PC (notebook PC) is assigned the fixed IP address 10.0.0.1 and other client PCs use this IP address as a gateway, the Netplan settings for the server PC are as follows
network:
version: 2
ethernets:
enp1s0:
addresses:
- 10.0.0.1/24
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
wifis:
wlp2s0:
access-points:
TP-Link_6 BEB:
password: '123456789'
dhcp4: true
Configuration example for a client PC
If the client PC uses the server PC as a gateway, an example of Netplan configuration for the client PC is as follows
network:
version: 2
ethernets:
enp1s0:
addresses:
- 10.0.0.100/24
gateway4: 10.0.0.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
Important points
- IP address of the server PC: Assign 10.0.0.1 to the wired interface of the server PC.
- Client PC IP address: Assign a different IP address (e.g., 10.0.0.100) to the client PC and set the gateway to 10.0.0.1.
- Role of the Server PC: The Server PC acts as a router and DHCP server, assigning IP addresses to other devices and managing network connections.
After editing the file, there is no need to reboot the PC or restart the service. However, you will need to apply the Netplan settings. After saving the configuration file, run the following command to apply the changessudo netplan apply
Applying the Netplan settings will temporarily reconfigure the network, which may cause SSH connections to be dropped. Then display the IP information again to see if it has changed. The wired side is now as described below.
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp1s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether f0:76:1c:88:14:76 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::f276:1cff:fe88:1476/64 scope link
valid_lft forever preferred_lft forever
3: wlp2s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether ac:b5:7d:87:8e:90 brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.0.107/24 metric 600 brd 192.168.0.255 scope global dynamic dynamic wlp2s0
valid_lft 4571sec preferred_lft 4571sec
inet6 fe80::aeb5:7dff:fe87:8e90/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:31:4a:6a:92 brd ff:ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
In addition, IP forwarding must be enabled and NAT must be configured for the server PC to provide Internet connectivity to the client. By doing this, the server PC acts as a router for the client PCs.
Description of IP Forwarding and NAT Settings
1. IP Forwarding (net.ipv4.ip_forward=1
)
IP forwarding is the ability to forward packets received from one network interface to another network interface. By enabling it, the server PC acts as a router, allowing other devices in the network to access the Internet.
10.0.0.1
192.168.0.2
Configuration Method:
- Enable temporarily:
sudo sysctl -w net.ipv4.ip_forward=1
- To enable permanently, add the following line to the
/etc/sysctl.conf
filenet.ipv4.ip_forward=1
With this configuration, the server PC will be ready to forward traffic for other devices in the network.
2. NAT Configuration (
using iptables
)
NAT (Network Address Translation) is a technology that allows devices in a private network to access the Internet. NAT allows devices in a private network to communicate with the Internet by translating their private IP addresses into public IP addresses.
Private IP: 192.168.0.2
Private IP: 192.168.0.1
Public IP: 203.0.113.1
Communicate over public IP
Of course, NAT can also translate a private address into another private address. This is sometimes called “NAT within the local network” or “Internal NAT”.
Private IP: 10.0.0.2
NAT conversion
10.0.0.2 → 192.168.0.100
Private IP: 192.168.0.100
What we are actually trying to do is illustrated in the following figure: NAT can not only translate between different private addresses, but also translate them to a final public IP address and connect to the Internet. The figure illustrates the flow of NAT translation between different private addresses and then translating them to a public IP address to connect to the Internet.
Configuration method:
Command to configure NAT:sudo iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
- –
t nat
: Specifies that NAT tables are to be used. - –
A POSTROUTING
: Specifies that packets are processed after they are routed. - –
o wlp2s0
: specifies the network interface to which this rule is applied (in this case, the Wi-Fi interface). - –
j MASQUERADE
: Change the source address of the packet so that it has the correct address when it leaves the Internet.
NAT settings for a specific subnet:sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o wlp2s0 -j MASQUERADE
- –
s 10.0.0.0/24
: Specify the source address range to which this rule is applied. Here, the 10.0.0.0/24 subnet is specified.
Configuration persistence:
The iptables configuration is reset after a reboot, so the configuration must be made persistent.
- Install package:
sudo apt-get install iptables-persistent
- Save the configuration:
sudo netfilter-persistent save
Now the NAT settings will be persistent even if the server PC is rebooted, and devices in the network will always be able to access the Internet.
- A laptop acting as a laptop/router is connected to an ISP router through WiFi (192.168.0.2).
- The laptop uses the wired interface (10.0.0.1) to manage its internal network (10.0.0.0/24).
- With IP forwarding configured, the laptop will forward traffic received from PC1, PC2, and PC3 on the internal network (10.0.0.0/24) to the Internet through the WiFi interface.
- ***NAT (Network Address Translation) ** configuration allows devices in the internal network to access the Internet using private IP addresses (10.0.0.0/24). The laptop translates these private IP addresses to public IP addresses (192.168.0.2) and sends them to the ISP router.
This configuration will allow all devices in the internal network (10.0.0.0/24) to access the Internet, which we will check on the Windows PC. Follow the steps below to check the network settings on the client PC to ensure that the correct settings are applied.
Check the network settings of the Windows client PC
- Check the network adapter settings:
- From “Network and Sharing Center,” click on “Change Adapter Settings.
- Right click on the network adapter you are using and select “Properties”.
- Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.
- Verify that the following information is entered correctly
- IP address: 10.0.0.6
- Subnet mask: 255.255.255.0
- Default Gateway: 10.0.0.1
- Preferred DNS Server: 8.8.8.8
- Alternate DNS Server: 8.8.4.4
However, when I open the page in my browser, there is no response; when I check with the PING command, there is a connection to the default gateway, but no connection to the Internet. It appears that I need to configure the filtering rules for the FORWARD
chain. The goal here is to allow traffic from the internal network and forward the connection to the Internet properly.
Impact of not allowing traffic on loopback interface
One possible reason why you could not connect to the Internet after setting up IP forwarding and NAT is that you are not allowing traffic on the loopback interface.
What is a loopback interface?
A loopback interface (lo) is a virtual network interface for sending data to the computer itself. It usually has an IP address of 127.0.0.1. This interface is used by the computer to access itself over the network.
Allow traffic on the loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
- –
A INPUT -i lo -j ACCEPT
: Allow all incoming traffic from the loopback interface. - –
A OUTPUT -o lo -j ACCEPT
: Allow all outgoing traffic to the loopback interface.
- Internal Network: A
- A device with a private IP address (10.0.0.2) is connected.
- Traffic from this device is sent to the Ubuntu PC.
- Ubuntu PC:.
- Running IP forwarding and NAT.
- 10.0.0.2 to 192.168.0.2.
- **Loopback interface (127.0.0.1)** is used for communication between internal processes.
- If traffic on the loopback interface is not allowed, communication between internal processes may be prevented and NAT and forwarding may not function properly.
- Internet:.
- Finally, it is converted to a public IP address and connected to the Internet.
Why is loopback important?
Not allowing traffic on the loopback interface can cause the following problems
- Access to local services: Many network services are accessed via the loopback interface and will not function properly if this traffic is blocked.
- NAT and forwarding issues: Even if IP forwarding and NAT are configured correctly, if traffic is not allowed on the loopback interface, communication between internal processes may be blocked, thus inhibiting connection to the Internet.
Specific Examples of Impact
For example, if traffic from an internal network (10.0.0.0/24) is sent to an external network (Internet) through NAT, the following situations may occur if the loopback interface is not working properly
- DNS resolver problem: If DNS queries are processed through the loopback, it will not work and will not be able to resolve domain names on the Internet.
- Communication failure of internal processes: Internal processes via loopback cannot communicate, so internal processing required for NAT and forwarding does not work properly, resulting in a failed connection to the Internet.
It is also necessary to allow traffic from the internal network
Significance of Allowing Traffic from Internal Networks
Controlling traffic is important for the secure and efficient operation of a network. This section discusses the reasons for allowing traffic from the internal network.
1. Allow communication between internal and external networks
In order for devices on an internal network (e.g., a company or home network) to access an external network (the Internet), it is necessary to allow that traffic to go outside.
- Example: When a PC in the home accesses a website on the Internet, the request (traffic) from the PC first goes through the router and then out to the Internet. If the router does not allow traffic from the internal network to the external network, the request from the PC will not reach the outside world.
2. Network Security and Management
Properly controlling traffic can increase network security. Explicitly setting rules to allow traffic from the internal network can prevent unwanted traffic and keep the network secure.
- Example: In an enterprise network, it is common to allow traffic from the inside to the outside while allowing traffic from the outside to the inside only based on specific conditions (e.g., in response to an already established connection). This is to prevent unauthorized access.
3. Optimizing Network Performance
Network performance can be optimized by allowing traffic appropriately. For example, specific rules can be set to prioritize important traffic and avoid network congestion.
- Example: configuring streaming services or video conferencing traffic to be prioritized will ensure that these services run smoothly.
# Allow traffic from internal networksudo iptables -A FORWARD -i enp1s0 -o wlp2s0 -s 10.0.0.0/24 -j ACCEPT
# Allow response traffic from the Internetsudo iptables -A FORWARD -i wlp2s0 -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Explanation: These settings allow communication from the internal network to the Internet and allow related traffic from the Internet.
- –
A FORWARD -i enp1s0 -o wlp2s0 -s 10.0.0.0/24 -j ACCEPT
:- –
A
: Add a new rule. FORWARD
: Add to the forward chain.- –
i enp1s0
: Target traffic whose input interface isenp1s0
(internal network interface). - –
o wlp2s0
: Target traffic whose output interface iswlp2s0
(Internet interface). - –
s 10.0.0.0/24
: Target traffic whose source address is in the 10.0.0.0/24 network. - –
j ACCEPT
: Allow the corresponding traffic.
- –
- –
A FORWARD -i wlp2s0 -o enp1s0 -m state --state ESTABLISHED,RELATED -j ACCEPT
:- –
A
: Add a new rule. FORWARD
: Add to the forward chain.- –
i wlp2s0
: Target traffic whose input interface iswlp2s0
(Internet interface). - –
o enp1s0
: Target traffic whose output interface isenp1s0
(internal network interface). - –
m state --state ESTABLISHED,RELATED
: Target traffic for connections that have already been established or related. - –
j ACCEPT
: allow the relevant traffic.
- –
Set default policy to drop
sudo iptables -P FORWARD DROP
DESCRIPTION: Sets the default policy to drop all traffic not explicitly allowed. Doing so blocks unwanted traffic and enhances security.
- –
P FORWARD DROP
:.- –
P
: Sets the default policy. FORWARD
: Set for forward chain.DROP
: Drop all traffic not explicitly allowed.
- –
These settings allow Internet access from the internal network and block unwanted traffic. Traffic on the loopback interface is also allowed, so the computer itself is not disturbed. I checked again on the Windows PC and this time it worked. When I could not connect, it seems that the default policy for the FORWARD
chain in the iptables
configuration was set to DROP
, which was blocking forwarded packets. Therefore, appropriate filtering rules had to be added to allow traffic from the internal network.
To view the current iptables rules in detail, enter the following command. The contents of this display are after entering the above command and allowing traffic.
sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 34639 packets, 13M bytes)
pkts bytes target prot opt in out source destination
2710 231K ACCEPT 0 — lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18824 13M DOCKER-USER 0 — * * 0.0.0.0/0 0.0.0.0/0
18824 13M DOCKER-ISOLATION-STAGE-1 0 — * * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 — * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 — docker0 docker0 0.0.0.0/0 0.0.0.0/0
5928 1927K ACCEPT 0 — enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
11727 11M ACCEPT 0 — wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 28157 packets, 14M bytes)
pkts bytes target prot opt in out source destination
2632 224K ACCEPT 0 — * lo 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 — docker0 !docker0 0.0.0.0/0 0.0.0.0/0
18825 13M RETURN 0 — * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 — * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 — * * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
18842 13M RETURN 0 — * * * 0.0.0.0/0 0.0.0.0/0
Basic information
The output of the command sudo iptables -L -v -n
details the current iptables rules.- L
is for list view, -v
is for detailed view, and -n
is an option to display IP addresses without resolving hostnames.
Overall Structure
The output is divided into three main chains (INPUT
, FORWARD
, and OUTPUT
) and several chains, including one added by Docker. Each chain has a set of rules that determine how packets are processed.
Chain INPUT
- Description: The
INPUT
chain handles all traffic coming into the system.
Chain INPUT (policy ACCEPT 34639 packets, 13M bytes)
pkts bytes target prot opt in out source destination
2710 231K ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
- policy ACCEPT: By default, all incoming traffic is allowed.
2710 packets, 231K bytes
: Allow packets from the loopback interface (lo)
. This will allow traffic that the system itself sends to itself (e.g., traffic tolocalhost
).
Chain FORWARD
- Explanation: The
FORWARD
chain handles traffic passing through the system via other network interfaces.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
18824 13M DOCKER-USER 0 -- * * 0.0.0/0 0.0.0/0
18824 13M DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0/0 0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0/0 0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0/0 0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0/0 0.0.0/0
5928 1927K ACCEPT 0 -- enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
11727 11M ACCEPT 0 -- wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
- policy DROP: By default, all forwarded traffic is denied.
18824 packets, 13M bytes
: send packets to the DOCKER-USER chain and the DOCKER-ISOLATION-STAGE-1 chain.0 packets, 0 bytes
: process the packet in the Docker-associated chain.5928 packets, 1927K bytes
: allow traffic on the 10.0.0.0/24 subnetfrom
enp1s0 to
wlp2s0
.11727 packets, 11M bytes
: allow associated traffic fromwlp2s0 to
enp1s0
.
Chain OUTPUT
- Explanation: The
OUTPUT
chain handles all traffic going out of the system.
Chain OUTPUT (policy ACCEPT 28157 packets, 14M bytes)
pkts bytes target prot opt in out source destination
2632 224K ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
- policy ACCEPT: By default, all output traffic is allowed.
2632 packets, 224K bytes
: Allow packets to the loopback interface (lo)
.
Docker Related Chains
- description: chain automatically generated by Docker to handle traffic between Docker containers
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0/0 0.0.0/0
18825 13M RETURN 0 -- * * 0.0.0/0 0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0/0 0.0.0/0
0 0 RETURN 0 -- * * 0 .0.0.0/0 0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
18842 13M RETURN 0 -- * * 0.0.0/0 0.0.0/0
- Chain DOCKER: A chain with specific Docker rules.
- Chain DOCKER-ISOLATION-STAGE-1: Chain for isolating traffic between Docker networks.
- Chain DOCKER-ISOLATION-STAGE-2: Further traffic isolation.
- Chain DOCKER-USER: Chain for handling user-defined Docker rules.
Since we are at this point, we will also enter the NAT details in the command line and check that they are configured correctly.
sudo iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 8218 packets, 1816K bytes)
pkts bytes target prot opt in out source destination
6 336 DOCKER 0 — * * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 4650 packets, 1403K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 338 packets, 31300 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 — * * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 142 packets, 10716 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 — * !docker0 172.17.0.0/16 0.0.0.0/0
624 85361 MASQUERADE 0 — * wlp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE 0 — * wlp2s0 10.0.0.0/24 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 — docker0 * 0.0.0.0/0 0.0.0.0/0
Basic Information
This command details the rules of the NAT table.- t nat
specifies the NAT table, -L is
a list view, -v is a
detailed view, and -n is
an option to display IP addresses without resolving host names.
Overall Structure
The output is divided into four main chains (PREROUTING
, INPUT
, OUTPUT
, and POSTROUTING
) and a chain added by Docker (DOCKER)
. Each chain has rules that determine how packets are processed.
Chain PREROUTING
- Description: The
PREROUTING
chain defines the rules that are applied before a packet is routed.
Chain PREROUTING (policy ACCEPT 8218 packets, 1816K bytes)
pkts bytes target prot opt in out source destination
6 336 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
- policy ACCEPT: By default, all incoming traffic is allowed.
6 packets, 336 bytes
: Send packets to theDOCKER
chain. This rule passes packets whose destination is a local address (i.e., the IP address of this machine) to the Docker chain.
Chain INPUT
- Description: The
INPUT
chain handles all traffic coming into the system.
Chain INPUT (policy ACCEPT 4650 packets, 1403K bytes)
pkts bytes target prot opt in out source destination
- policy ACCEPT: By default, all incoming traffic is allowed. No specific rules are set for this chain.
Chain OUTPUT
- DESCRIPTION: The
OUTPUT
chain handles all traffic going out of the system.
Chain OUTPUT (policy ACCEPT 338 packets, 31300 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER 0 -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
- policy ACCEPT: By default, all output traffic is allowed.
0 packets, 0 bytes
: Send packets up theDOCKER
chain. This rule passes packets destined for local addresses other than 127.0.0.0/8 (loopback address) to the Docker chain.
Chain POSTROUTING
- Description: The
POSTROUTING
chain defines rules that are applied after packets are routed.
Chain POSTROUTING (policy ACCEPT 142 packets, 10716 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * !docker0 172.17.0.0/ 16 0.0.0.0/0
624 85361 MASQUERADE 0 -- * wlp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE 0 -- * wlp2s0 10.0.0.0/24 0.0.0.0/0
- policy ACCEPT: by default, all post-processing traffic is allowed.
0 packets, 0 bytes
: Masquerade packets from the 172.17.0.0/16 network to interfaces other than docker0. Masquerading translates the source IP address to the IP address of the interface.624 packets, 85361 bytes
: Masquerades all packets going through the wlp2s0 interface.0 packets, 0 bytes
: Masquerades packets from the 10.0.0.0/24 network to the wlp2s0 interface.
Chain DOCKER
- description: The
DOCKER
chain is a chain automatically generated by Docker to handle traffic between Docker containers.
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 packets, 0 bytes
: returns packets going through the docker0 interface. This is a rule to allow traffic between Docker containers.
Important Summary
Command to display current iptables rules
1. POSTROUTING
chain of nat
tables
sudo iptables -t nat -L POSTROUTING -v -n
- This command displays the rules added to the
POSTROUTING
chain for thenat
table. Now verify that theMASQUERADE
rule has been added correctly.
2. INPUT
, OUTPUT
, and FORWARD
chains in the filter
table
sudo iptables -L INPUT -v -n
sudo iptables -L OUTPUT -v -n
sudo iptables -L FORWARD -v -n
- These commands show the rules added to each chain. Verify that the rules for allowing traffic on the loopback interface
(INPUT
andOUTPUT
), allowing traffic from the internal network(FORWARD)
, and allowing response traffic from the Internet(FORWARD)
have been added correctly.
How to check all rules at once
To check the entire set of rules at once, run the following command to verify that all rules are set correctly.
# Check the POSTROUTING chain in the NAT table
sudo iptables -t nat -L POSTROUTING -v -n
# Check the INPUT chain in the filter table
sudo iptables -L INPUT -v -n
# Check the OUTPUT chain in the filter table
sudo iptables -L OUTPUT -v -n
# Check FORWARD chain for filter table
sudo iptables -L FORWARD -v -n
Run these commands to verify that the rules you have configured are being applied correctly.
Example of expected output
POSTROUTING
chain of nat
tables
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * wlp2s0 0.0.0.0/0 0.0.0.0/ 0
0 0 MASQUERADE all -- * wlp2s0 10.0.0.0/24 0.0.0.0/0
INPUT
chain of filter
tables
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
OUTPUT
chain of filter
tables
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
FORWARD
chain in filter
table
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- enp1s0 wlp2s0 10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- wlp2s0 enp1s0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
By checking these outputs, you can verify that the configured rules have been added correctly.