LoginSignup
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@spicecurry05(スパイスカレー)

ebtablesの勉強

Last updated at Posted at 2024-01-03

概要

Linuxのebtablesの勉強。
filterのほか、brouteの動作検証をする。

環境

  • OSXでmultipass上でubuntuを起動させ、linux namespaceで以下のような環境を構築する。

bridge.drawio.png

  • ubuntuは22.04とする。なお、ebtablesはbrouteルールを用いるためバージョンアップをする。

  • bridge-utilsをインストールしておく。

ブリッジの作成

linux namespaceでブリッジを作成する。

sudo ip netns add moon
sudo ip netns add sun
sudo ip netns add sun-lan

sudo ip link add sunlan-veth0 type veth peer name sun-veth0
sudo ip link add sun-veth1 type veth peer name moon-veth1
sudo ip link set sunlan-veth0 netns sun-lan
sudo ip link set sun-veth0  netns sun
sudo ip link set sun-veth1 netns sun
sudo ip link set moon-veth1 netns moon

sudo ip netns exec sun-lan ip link set sunlan-veth0 up
sudo ip netns exec sun ip link set sun-veth1 up
sudo ip netns exec sun ip link set sun-veth0 up
sudo ip netns exec moon ip link set moon-veth1 up
sudo ip netns exec sun sysctl net.ipv4.ip_forward=1

sudo ip netns exec sun-lan ip addr add 192.168.0.11/16 dev sunlan-veth0 
sudo ip netns exec moon ip addr add 192.168.0.12/16  dev moon-veth1

ブリッジインタフェースの作成。

sudo ip netns exec sun brctl addbr br0
sudo ip netns exec sun ip addr add 192.168.0.1/16 dev br0
sudo ip netns exec sun brctl addif br0 sun-veth0
sudo ip netns exec sun brctl addif br0 sun-veth1
sudo ip netns exec sun ip link set dev sun-veth0 promisc on
sudo ip netns exec sun ip link set dev sun-veth1 promisc on
sudo ip netns exec sun ip link set sun-veth0 up
sudo ip netns exec sun ip link set sun-veth1 up
sudo ip netns exec sun ip link set br0 up

sun-lanからping導通可能なことを確認。

ubuntu@ipip:~$ sudo ip netns exec sun-lan ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.053 ms
^C
--- 192.168.0.12 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1086ms
rtt min/avg/max/mdev = 0.039/0.046/0.053/0.007 ms
ubuntu@ipip:~$ sudo ip netns exec sun-lan ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.047 ms
^C
--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1074ms
rtt min/avg/max/mdev = 0.047/0.059/0.072/0.012 ms
ubuntu@ipip:~$ sudo ip netns exec sun ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.068 ms
^C
--- 192.168.0.12 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1060ms
rtt min/avg/max/mdev = 0.025/0.046/0.068/0.021 ms

ebtablesの検証(FORWARD)

FORWARDルールの検証を例として行う。

初期状態のebtablesのルール。

ubuntu@ipip:~$ sudo ip netns exec sun ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

FORWARDのデフォルトポリシーをDROPにする

ubuntu@ipip:~$ sudo ip netns exec sun ebtables -P FORWARD DROP
ubuntu@ipip:~$ sudo ip netns exec sun ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

sun-lanからping導通しなくなる

ubuntu@ipip:~$ sudo ip netns exec sun-lan ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
^C
--- 192.168.0.12 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1047ms

sunのbr0発はFOWWARD関係ないので転送される

ubuntu@ipip:~$ sudo ip netns exec sun ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.051 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.048 ms
^C
--- 192.168.0.12 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.048/0.049/0.051/0.001 ms

ipv4を転送許可する。

ubuntu@ipip:~$ sudo ip netns exec sun ebtables -A FORWARD -p IPv4 -j ACCEPT
ubuntu@ipip:~$ sudo ip netns exec sun ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 1, policy: DROP
-p IPv4 -j ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

導通しない。

ubuntu@ipip:~$ sudo ip netns exec sun-lan ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
^C
--- 192.168.0.12 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5357ms

ARPを許可すると転送する。

ubuntu@ipip:~$ sudo ip netns exec sun ebtables -A FORWARD -p ARP -j ACCEPT
ubuntu@ipip:~$ sudo ip netns exec sun-lan ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.098 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.054 ms
^C
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2073ms
rtt min/avg/max/mdev = 0.048/0.066/0.098/0.022 ms

ebatalesの検証(broute)

ebtablesにはブリッジするか、ルータするか、の判断を行うbrouteテーブルがある。

DROPとACCEPTはbrouteテーブル内では特別な意味を持っており、DROPはルーティングされ、ACCEPTはブリッジされる。

検証として上記ebtalesのFORWARDで転送可能となっている状態でbrouterテーブルのルールを追加する。

DROPルールを追加し、ルーティングになるようにする(この状態ではsunにはルーティング設定がないので転送されない)。
brouteルールにヒットしていることが表示からわかる(--Lcオプション)。

ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 0, policy: ACCEPT
ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -A BROUTING -p IPv4 -j DROP
ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -j DROP , pcnt = 0 -- bcnt = 0
ubuntu@primary:~$ sudo ip netns exec sun-lan ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
^C
--- 192.168.0.12 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2137ms

ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -j DROP , pcnt = 3 -- bcnt = 252

ここでDROPルールを削除してACCEPTルールに変更する。
ACCPETされ、ブリッジ転送になりebtablesのFORWARDルールで許可されているので転送に成功する。

ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -D BROUTING -p IPv4 -j DROP
ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -A BROUTING -p IPv4 -j ACCEPT
ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -j ACCEPT , pcnt = 0 -- bcnt = 0
ubuntu@primary:~$ sudo ip netns exec sun-lan ping 192.168.0.12
PING 192.168.0.12 (192.168.0.12) 56(84) bytes of data.
64 bytes from 192.168.0.12: icmp_seq=1 ttl=64 time=0.096 ms
64 bytes from 192.168.0.12: icmp_seq=2 ttl=64 time=0.111 ms
64 bytes from 192.168.0.12: icmp_seq=3 ttl=64 time=0.121 ms
^C
--- 192.168.0.12 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2071ms
rtt min/avg/max/mdev = 0.096/0.109/0.121/0.010 ms
ubuntu@primary:~$ sudo ip netns exec sun ebtables -t broute -L --Lc
Bridge table: broute

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -j ACCEPT , pcnt = 6 -- bcnt = 504

参考

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?