[Novalug] Advance virtual TCP/IP networking question

DonJr djr1952 at hotpop.com
Thu Jan 31 20:45:42 EST 2008 

On Wed, 2008-01-30 at 14:18 -0500, DonJr wrote:
> OK I've been experimenting in setting up a Local/Virtual network on my
> host.
>   What I want is a internal{to the host} network to hang/connect Virtual
> Machines off of that will be able to talk to each other and to the host
> through the tcp/udp protocols.

Was my question a little to advance for this list or something?

Anyway I figured out the answer.
As far as LOCAL this machine only type network for the VirtualBox side.

djr at djtablet:~$   cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# # My virtual internal network
auto qtap0
iface qtap0 inet static
    address 192.168.154.1
    netmask 255.255.255.0
    VDE2_SWITCH - -t qtap1
    VDEQEMU qtap0
    ## VDE2_SLIRP -network 192.168.154.0 -dhcp

# this is where the Bridge hangs off the vde2_switch
iface qtap1 inet manual

auto vtap1
iface vtap1 inet manual
    FireStarter IGNORE
    tunctl_user djr
    uml_proxy_arp 192.168.154.2
    uml_proxy_ether qtap1

auto vtap2
iface vtap2 inet manual
    FireStarter IGNORE
    tunctl_user djr
    uml_proxy_arp 192.168.154.2
    uml_proxy_ether qtap1

auto vtap3
iface vtap3 inet manual
    FireStarter IGNORE
    tunctl_user djr
    uml_proxy_arp 192.168.154.2
    uml_proxy_ether qtap1

auto br0
iface br0 inet manual
    FireStarter IGNORE
    address 192.168.154.2
    netmask 255.255.255.0
    gateway 192.168.154.1
    bridge_ports qtap1 vtap1 vtap2 vtap3
    bridge_stp on
    bridge_maxwait 0

# The primary network interface
auto eth0
iface eth0 inet dhcp
   # request a fixed hostname from the external DHCP server.
    hostname djtablet 

### ------------- cut ---------- here #####

The "FireStart IGNORE" flag(s) is one of my additions to STOP
firestarter from RESTARTING when each of these INTERNAL and
"unconfigured taps" are created.

vtap1, vtap2 and 'vtap3' are where the VirtualBox machines are
"connected" to.

The network '192.168.154.*' is the private IP address of my internal
lan. You can use any "private" IP numbers that you want as long as they
all match up. 

In the above setup
  192.168.154.1 is my vde2_switch(HUB)
  and also the virtual-lans gateway to the outside world.

  192.168.154.2 is the BRIDGE

(F)rom hosts connected inside or outside you can "ping" these addresses
but otherwise there is much else visable about them as far as TCP/IP
goes.

The following is the part of /etc/dnsmasq.conf that is needed to make
DHCP work for the clients connecting to the inside:
  ## make sure this address matches the one for the "qtap0" interface.
  listen-address=192.168.154.1
  bind-interfaces
  domain=djtablet.lan
  dhcp-authoritative
   ## the    \/  name of the interface.
  interface=qtap0
   #    LOW           HIGH            MASK       BCAST            AGE
dhcp-range=192.168.154.50,192.168.154.250,255.255.255.0,192.168.154.255,7d
 ###        /\ Those are also IP number
 # Set the default gateway for DHCP clients
 dhcp-option=3,192.168.154.1
 ### ------------- cut ---------- here #####

If you want to give your virtual clients names just add them
to /etc/hosts like you would any other host names.

My /etc/hosts currently has theses additional names:
  127.0.1.1       djtablet
  192.168.154.1   djtablet.lan
  192.168.154.2   br0.djtablet.lan        br0
 ### ------------- cut ---------- here #####

NOW FOR THE CURRENT PROBLEM
The masqurading firewall
 First "firestarter" while generally OK for a desktop or a laptop.
 On power I'd say with Norton Firewall for Windows or at least it should
be someday once the user interface is finished.
 The only other problem I've had is when it FAILS it either falls wide
open or either STOPS networking from opening or closing all together.
  { Not a good turn of events for a firewall at all }

Also I cannot figured out how to tell it or 'iptables' how to allow any
FORWARD(ing) of data in and out of the same interface without breaking
forwarding altogether.

Any ideas as the following doesn't work EXCEPT for local communcations:
   # The following six are required for DHCP to work
$IPT -A INPUT -p udp --in-interface qtap0 --sport 68 --dport 67 -j ACCEPT
$IPT -A INPUT -p tcp --in-interface qtap0 --sport 68 --dport 67 -j ACCEPT
$IPT -A INPUT -p udp --in-interface br0 --sport 68 --dport 67 -j ACCEPT
$IPT -A INPUT -p tcp --in-interface br0 --sport 68 --dport 67 -j ACCEPT
$IPT -A INPUT -p udp --source 192.168.154.1/24 --sport 68 --dport 67 -j ACCEPT
$IPT -A INPUT -p tcp --source 192.168.154.1/24 --sport 68 --dport 67 -j ACCEPT
                  #              /\ as long as your network number matches

   # The following to allow the BRIDGE attached clients to work locally.
# $IPT -A FORWARD -p udp --in-interface br0 --out-interface br0 -j ACCEPT
# $IPT -A FORWARD -p tcp --in-interface br0 --out-interface br0 -j ACCEPT
  # But BREAK any off (the virtual lan) talking.

The "plugs" where vdeqemu attaches work just fined as long as
"masqruading" is enabled in the "firestarter".

-- 
 DonJr.

More information about the Novalug mailing list