How a Machine Becomes a Router | ip_forward
Vložit
- čas přidán 7. 06. 2024
- Recently I learned how the Linux option net.ipv4.ip_forward can turn your machine into a router. I have been using this option in past when working with iptables but never paid attention to how it works. I explore this here.
You see, when your NIC receives a frame from the network with a MAC address the frame is copied to the kernel if the MAC address matches the NIC’s. If doesn’t match the NIC’s MAC address that frame is often dropped by the NIC.
Putting the NIC into promiscuous mode allows all frames in to the OS and the kernel does the filtering instead. This is useful if you have many virtual machines/containers with different MAC addresses exposed under the same physical NIC.
So similarly if the MAC address matches the NIC’s but the IP address in the IP packet doesn’t match machine’s IP, the packet is often dropped by the OS, unless the ip_forward option is enabled.
This essentially tells the OS, hey, you might receive packets that are not for you, please just forward them back through the network and apply any routing rules you might have. Here
This is exactly how a router works, it received tons of packets where the MAC matches it, but almost none of them are destined to the router (except if you want to go to the admin page on your router that is).
Coincidentally, this is also how a firewall works. You configure your hosts to forward all packets to machine F, such that the destinations remain as is but the frame becomes F, the firewall machine receives all packets, apply the filtering rules if those pass it forward the packet back to the network (thanks to the ip_forward) else if the firewall rules didn’t match, it swallows the packet.
This feels like a puzzle piece I have been holding on for a long time and finally fits perfectly.
0:00 Intro
2:00 Layer 2 and Layer 3 Address match
4:00 Layer 2 MAC doesn’t match
5:30 Promiscuous Mode
6:30 Layer 2 Match Layer 3 Address doesn’t
9:00 Acting Like a Router
11:30 Acting Like a Firewall
Discovering Backend Bottlenecks: Unlocking Peak Performance
performance.husseinnasser.com
Fundamentals of Backend Engineering Design patterns udemy course (link redirects to udemy with coupon)
backend.husseinnasser.com
Fundamentals of Networking for Effective Backends udemy course (link redirects to udemy with coupon)
network.husseinnasser.com
Fundamentals of Database Engineering udemy course (link redirects to udemy with coupon)
database.husseinnasser.com
Follow me on Medium
/ membership
Introduction to NGINX (link redirects to udemy with coupon)
nginx.husseinnasser.com
Python on the Backend (link redirects to udemy with coupon)
python.husseinnasser.com
Become a Member on CZcams
/ @hnasr
Buy me a coffee if you liked this
www.buymeacoffee.com/hnasr
Arabic Software Engineering Channel
/ @husseinnasser
🔥 Members Only Content
• Members-only videos
🏭 Backend Engineering Videos in Order
backend.husseinnasser.com
💾 Database Engineering Videos
• Database Engineering
🎙️Listen to the Backend Engineering Podcast
husseinnasser.com/podcast
Gears and tools used on the Channel (affiliates)
🖼️ Slides and Thumbnail Design
Canva
partner.canva.com/c/2766475/6...
Stay Awesome,
Hussein - Věda a technologie
Check out my fundamentals of network engineering network.husseinnasser.com
Watched your all courses and still wait for your new videos, so I can learn from you. Not because I have hunger to learn, because you know how to feed knowledge even to a not hungry person.❤
I'm currently working with aviation router technologies in my job. This video popping up really made me happy. 🙂
Wow Hussein, you are doing an amazing work sir, These concepts are insightful for someone who always uses these and never understand whats going under the hood. Thanks a ton!
no need to appologies, life is not always same :) , good to see you!, really missing those crash courses and deep analysis videos!
Good to see you man!
you are a software craftsman 👨💻
Yup. Had to enable this one to let my LXD containers and VMs have internet access.
Maybe I misunderstand your statement that a frame is only copied to the kernel if it matches the NIC address, or maybe I misunderstand Linux bridging. Wouldn't all frames enter the kernel on a Linux bridge? My Linux bridges aren't promisc either.
If we are on the same network, sending a packet will get to the firewall machine, and the firewall machine will forward it back to the network if it passes some criteria, my questions is, you said that when we send a packet to the network everyone will receive the packet, in this case the other device(the real destination ) will receive this packet in the same time the firewall does, so does that makes the firewall useless?
Depends on what you mean by worthless. Assuming you meant the firewall is a NAT router or similar then it's not used or needed. If two devices are on the same LAN then ARP will take care of it and the router isn't doing anything.
2:58 AFAIK this shouldn't be true today with switches, they send the the package only for the intended destination. Which wasn't the case in ethernet hubs (never seen one lmao). But the issue is you can spoof the destination if you answer the ARP broadcasts. Wifi it still applies.
Need to test this later with promiscuous mode. My lab is offline rn so kinda hard to do
routers aren't machines?
We are hijabis, the men and boys in our house would notify us when someone's at the door so that we get something to throw on our head or we just go to our room
yes