[Netkit.users] Re: 2 real PC integration and tunnel TAP<->eth0

Massimo Rimondini rimondin a dia.uniroma3.it
Mer 26 Lug 2006 16:12:26 CEST

Dear Paolo,

sorry it took some time to answer.

If you want more than one Netkit machine to access an external network, 
proceed as follows.

[ from now on you must be root ]
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod 666 /dev/net/tun
# Enable masquerading and open firewall
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -i tap+ -j ACCEPT
# Create the first tunnel
tunctl -u your_user_name -t tap1
ifconfig tap1 external_address1 up
# Create the second tunnel
tunctl -u your_user_name -t tap2
ifconfig tap2 external_address2 up
[ now you can revert to your user privileges ]

At this point you have to start two virtual hubs, which ensures that the 
two "border" VMs lie on different collision domains and allows them to 
communicate with the external network. Proceed as follows:

uml_switch -tap tap1 -hub -unix ~/.netkit/hubs/vhub_tap1.cnct </dev/null 
2>&1 &
uml_switch -tap tap2 -hub -unix ~/.netkit/hubs/vhub_tap2.cnct </dev/null 
2>&1 &

Now, a snapshot of the setting:
- two tunnel interfaces which allow traffic to flow out of the machine 
hosting your Netkit network;
- two virtual hubs (connected to the tunnel interfaces) which are ready 
to receive traffic from the Netkit machines you want to connect to the 
external network.

So, what you are still missing are the "border" Netkit virtual machines 
(the other ones can be started as usual). In order to start them, you 
need to tweak a little bit with the UML kernel command line. First of 
all, start the "border" VMs as you usually would, but also using the  
"--print" option of vstart. You should get an output whose last line is 
similar to the following:

modules=/home/user/netkit2/kernel/modules name=pc1 title=pc1 umid=pc1 
mem=12M ubd0=/home/user/pc1.disk,/home/uawe/netkit2/fs/netkit-fs 
root=98:1 uml_dir=/home/uawe/.netkit/mconsole 
autoconf_eth0= def_route= hosthome=/home/max quiet 
con0=xterm con1=null

Locate the argument referring to the interface you wish to connect to 
the external network (for the sake of simplicity, in this case the VM is 
equipped with just one interface: eth0). Replace the string 
"vhub_max_tap.cnct" with "vhub_tap1.cnct". This connects the interface 
to the first virtual hub, hence to the first tunnel, hence to the first 
"way out" of the network. Also, replace the value for "autoconf_eth0" 
with the address you wish to assign to the emulated interface inside the 
virtual machine, and the value for "def_route" with <external_address1> 
you have been using above. Notice that, using "autoconf_eth0" and 
"def_route" does not allow CIDR routing (that is, addresses are 
automatically assigned their natural netmasks).

Proceed in a similar way to set up the other "border" VM.

At this point you should be done! :)

As for the other problem, failure to receive reply packets is most 
probably due to the combined effect of disabling IP forwarding and/or of 
the contents of the routing tables.
I'm quite confident that a tunnel is not what you need to solve this 
problem. This seems to be a matter of routing packets. I suggest you 
check the routing tables of the machines involved in the ping, and my 
hint is also to re-enable IP forwarding (it's quite strange to think 
that things may still work without).
And, for what concerns honeyd being bypassed, unfortunately I'm not 
really competent in its usage. Are you sure it is being bypassed? 
Observing duplicate packets sounds like two interfaces are reacting to 
the echo request. Isn't it the case that honeyd is triggering this?


Paolo Carpo wrote:

>>Now, the question is: do you really need two real hosts to setup your
>>network, or would just one (or even none) be enough, replacing the other
>>with an emulated PC?
>>If this is not the case, and if you are interested, I can provide you
>>with details about the procedure to configure other tap interfaces by
>>hand. It's a little less user friendly and cannot be automated by using
>>Netkit lcommands, but I can tell you if you want.
>>Hope this helps.
>Dear Massimo,
>Unfortunately I really need to have 2 real pc on 2 different subnets and the 
>traffic passing through netkit network (a traceroute for example between the 
>2 real pc: I would like that the UDP ping will pass through the netkit 
>Thank you very much for the help!
>		Paolo Carpo
>Netkit.users mailing list
>Netkit.users a list.dia.uniroma3.it

Maggiori informazioni sulla lista Netkit.users