search

netkit-jh / netkit-jh-build

Build scripts for the kernel, filesystem and assisting scripts/programs for Netkit-JH.
https://netkit-jh.github.io/
GNU General Public License v3.0
22 stars 12 forks source link

[Help Wanted] TAP Domains don't allow ping returns #93

Closed R-vandenBerg closed 2 years ago

R-vandenBerg commented 2 years ago

I'm currently using old Netkit for a college assignment but I figured it would be functionally the same as the version that you guys are maintaining.

I have a network lab configured in my Linux virtual machine, using a gateway machine with a tap to the VM's network adapter. I have two "router" machines with two "PC" machines connected to each router, and the routers on the same network as the gateway. I also have two PCs on the same network as the Gateway and the routers.

This picture is probably better at explaining it than words are.

Now, packets from inside LANA, LANB, or LANC make it outside into the VM's adapter just fine (I can see them with tcpdump) but it's the return that's the issue. The network adapter on the host VM does not have any routes added for these networks. I can ping 192.168.200.1 (the Gateway on the tap network) just fine, because the host does add a route to the tap network (192.168.200.0).

If I manually add routes to the VM host to networks 192.168.10.0, 10.10.0.0, and 172.16.10.0, then I can ping outside the network (like 8.8.8.8) just fine, getting a DNS. The Gateway machine can also ping outside the network just fine without these routes, since the host does have the route to it.

How can I configure my lab in such a way that the host can route the packets to the virtual networks just fine without me needing to add these three routes manually after lab start?

Thanks in advance. Apologies if this is not the correct place to post about it.

TechSupportJosh commented 2 years ago

Hi there!

While our version has changed a fair bit, it seems like this is a problem related to the iptables rules that are assigned to tap devices.

You can see the iptables commands ran here: https://github.com/netkit-jh/netkit-jh-build/blob/15284011665545766238a08ab515d0228b3aad64/core/bin/manage_tuntap#L76

iptables -t nat -A POSTROUTING ! -o lo -m comment --comment "Netkit-JH" -j MASQUERADE
iptables -I FORWARD -i nk_tap_+ -m comment --comment "Netkit-JH" -j ACCEPT

This should ensure that packets that come out of the adapter are NAT'd to the tap addresses IP address, meaning that your host should then be able to route packets towards this interface. Without knowing exactly what version you're running, it's hard to say.

From what I can remember, there was an old version of Netkit which didn't correctly setup these firewall rules and as a result, had the same issue where the packets can get out but not get back in.

I hope this helps (and check out this version, it should make your life a little easier :smile: )

R-vandenBerg commented 2 years ago

That solution has worked splendidly! I've been searching for a solution to this for ages, I cannot thank you enough. I'll be sure to switch over to your guys' version at first possible convenience :)