Linux as Router
1. Linux ip Command
NAME
ip - show / manipulate routing, network devices, interfaces and tunnels
SYNOPSIS
ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
OBJECT := { link | address | addrlabel | route | rule | neigh | ntable | tunnel | tuntap | maddress | mroute | mrule | monitor | xfrm | netns | l2tp |
tcp_metrics | token | macsec | vrf | mptcp }
OPTIONS := { -V[ersion] | -h[uman-readable] | -s[tatistics] | -d[etails] | -r[esolve] | -iec | -f[amily] { inet | inet6 | link } | -4 | -6 | -I | -D | -B |
-0 | -l[oops] { maximum-addr-flush-attempts } | -o[neline] | -rc[vbuf] [size] | -t[imestamp] | -ts[hort] | -n[etns] name | -N[umeric] | -a[ll] |
-c[olor] | -br[ief] | -j[son] | -p[retty] }
EXAMPLES
ip addr
Shows addresses assigned to all network interfaces.
ip neigh
Shows the current neighbour table in kernel.
ip link set x up
Bring up interface x.
ip link set x down
Bring down interface x.
ip route
Show table routes.
Object | Abbreviated form | Purpose |
---|---|---|
|
|
Network device. |
|
|
Protocol (IP or IPv6) address on a device. |
|
|
Label configuration for protocol address selection. |
|
|
ARP or NDISC cache entry. |
|
|
Routing table entry. |
|
|
Rule in routing policy database. |
|
|
Multicast address. |
|
|
Multicast routing cache entry. |
|
|
Tunnel over IP. |
|
|
Framework for IPsec protocol. |
Old command (Deprecated) | New command |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.1. ip route: Routing table management commands
-
Show routing table
$ ip r default via 192.168.91.2 dev ens32 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128 $ sudo route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.91.2 0.0.0.0 UG 0 0 0 ens32 192.168.91.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32 $ ip r l 192.168.91.0/24 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128
-
Delete a route
$ sudo ip r del default $ ip r 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128 $ sudo ip r del 192.168.91.0/24 $ ip r
-
Add a new route
# ip route add {NETWORK/MASK} via {GATEWAYIP} # ip route add {NETWORK/MASK} dev {DEVICE} # ## Add default route using ip ## # ip route add default {NETWORK/MASK} dev {DEVICE} # ip route add default {NETWORK/MASK} via {GATEWAYIP}
$ sudo ip r add default via 192.168.91.2 dev ens32 $ ip r default via 192.168.91.2 dev ens32 $ sudo ip r add 192.168.91.0/24 dev ens32 $ ip r default via 192.168.91.2 dev ens32 192.168.91.0/24 dev ens32 scope link
2. Let a Linux as a router
-
Update the default route to another Linux
$ ip r default via 192.168.91.2 dev ens32 onlink 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128 $ sudo ip r del default $ ip r 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128 # set the default gateway to another Linux (192.168.91.137) $ sudo ip r add default via 192.168.91.137 dev ens32 $ ip r default via 192.168.91.137 dev ens32 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.128
2.1. Test networking with ping
-
Open a terminal and run
tcpdump
to capture the network packet:$ sudo tcpdump -nv host 10.170.108.237 tcpdump: listening on ens32, link-type EN10MB (Ethernet), snapshot length 262144 bytes 15:02:58.708055 IP (tos 0x0, ttl 64, id 61339, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.91.128 > 10.170.108.237: ICMP echo request, id 4621, seq 1, length 64 15:02:59.715911 IP (tos 0x0, ttl 64, id 61408, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.91.128 > 10.170.108.237: ICMP echo request, id 4621, seq 2, length 64 ^C 2 packets captured 2 packets received by filter 0 packets dropped by kernel
-
Run
ping
to test networking:$ ping -c 2 10.170.108.237 PING 10.170.108.237 (10.170.108.237) 56(84) bytes of data. --- 10.170.108.237 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1008ms
Here, we see all the packet were lost. This is beacuse the target Linux host (
192.168.91.137
) should enable the ip forward feature as below.$ sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 $ sudo sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1
Now let’s run the ping at host (
192.168.91.128
) again:$ ping -c 2 10.170.108.237 PING 10.170.108.237 (10.170.108.237) 56(84) bytes of data. 64 bytes from 10.170.108.237: icmp_seq=1 ttl=128 time=1.50 ms 64 bytes from 10.170.108.237: icmp_seq=2 ttl=128 time=1.18 ms --- 10.170.108.237 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1003ms rtt min/avg/max/mdev = 1.175/1.338/1.501/0.163 ms
-
Show the gateway Linux host (
192.168.91.137
) route:$ ip -d r unicast default via 192.168.91.2 dev ens34 proto boot scope global unicast 192.168.91.0/24 dev ens34 proto kernel scope link src 192.168.91.131 unicast 192.168.91.0/24 dev ens32 proto kernel scope link src 192.168.91.137
-
Run the
traceroute
at the source host (192.168.91.128
) to print the route trace:$ sudo traceroute -I 10.170.108.237 traceroute to 10.170.108.237 (10.170.108.237), 30 hops max, 60 byte packets 1 192.168.91.131 (192.168.91.131) 2.323 ms 1.998 ms 1.781 ms 2 192.168.91.2 (192.168.91.2) 1.636 ms 1.460 ms 1.162 ms 3 10.170.108.237 (10.170.108.237) 3.304 ms 3.895 ms 6.811 ms