├── .gitignore ├── vxlan-demo.png ├── vxlan_PacketWalk.png ├── Dockerfile ├── host01.sh ├── host02.sh └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | raw 2 | -------------------------------------------------------------------------------- /vxlan-demo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faysalmehedi/vxlan-ovs-docker-lab/HEAD/vxlan-demo.png -------------------------------------------------------------------------------- /vxlan_PacketWalk.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faysalmehedi/vxlan-ovs-docker-lab/HEAD/vxlan_PacketWalk.png -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt update 4 | RUN apt install -y net-tools 5 | RUN apt install -y iproute2 6 | RUN apt install -y iputils-ping 7 | 8 | CMD ["sleep", "7200"] 9 | 10 | -------------------------------------------------------------------------------- /host01.sh: -------------------------------------------------------------------------------- 1 | # Start the VM1/HOST1, update the repository 2 | sudo apt update 3 | # Install essential tools 4 | sudo apt -y install net-tools docker.io openvswitch-switch 5 | 6 | # Step-01 7 | # Create two bridge using ovs 8 | sudo ovs-vsctl add-br ovs-br0 9 | sudo ovs-vsctl add-br ovs-br1 10 | 11 | # add port/interfaces to bridges 12 | sudo ovs-vsctl add-port ovs-br0 veth0 -- set interface veth0 type=internal 13 | sudo ovs-vsctl add-port ovs-br1 veth1 -- set interface veth1 type=internal 14 | 15 | 16 | # check the status of bridges 17 | sudo ovs-vsctl show 18 | 19 | # set the ip to the created port/interfaces 20 | sudo ip address add 192.168.1.1/24 dev veth0 21 | sudo ip address add 192.168.2.1/24 dev veth1 22 | ip a 23 | 24 | # up the interfaces and check status 25 | sudo ip link set dev veth0 up mtu 1450 26 | sudo ip link set dev veth1 up mtu 1450 27 | ip a 28 | 29 | # Step-02 30 | 31 | # create a docker image from the docker file 32 | sudo docker build . -t ubuntu-docker 33 | 34 | # create containers from the created image; Containers not connected to any network 35 | sudo docker run -d --net=none --name docker1 ubuntu-docker 36 | sudo docker run -d --net=none --name docker2 ubuntu-docker 37 | 38 | # check container status and ip 39 | sudo docker ps 40 | sudo docker exec docker1 ip a 41 | sudo docker exec docker2 ip a 42 | 43 | # add ip address to the container using ovs-docker utility 44 | sudo ovs-docker add-port ovs-br0 eth0 docker1 --ipaddress=192.168.1.11/24 --gateway=192.168.1.1 45 | sudo docker exec docker1 ip a 46 | 47 | sudo ovs-docker add-port ovs-br1 eth0 docker2 --ipaddress=192.168.2.11/24 --gateway=192.168.2.1 48 | sudo docker exec docker2 ip a 49 | 50 | # ping the gateway to check if container connected to ovs-bridges 51 | sudo docker exec docker1 ping 192.168.1.1 52 | sudo docker exec docker2 ping 192.168.2.1 53 | 54 | 55 | # Step-03 56 | # one thing to check; as vxlan communicate using udp port 4789, check the current status 57 | netstat -ntulp 58 | 59 | # Create the vxlan tunnel using ovs vxlan feature for both bridges to another hosts bridges 60 | # make sure remote IP and key options; they are important 61 | sudo ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=10.0.1.169 options:key=1000 62 | sudo ovs-vsctl add-port ovs-br1 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=10.0.1.169 options:key=2000 63 | 64 | # check the port again; it should be listening 65 | netstat -ntulp | grep 4789 66 | 67 | sudo ovs-vsctl show 68 | 69 | ip a 70 | 71 | 72 | # It's time to check the connectivity 73 | 74 | # FROM docker1 75 | # will get ping 76 | sudo docker exec docker1 ping 192.168.1.12 77 | sudo docker exec docker1 ping 192.168.1.11 78 | 79 | # will be failed 80 | sudo docker exec docker1 ping 192.168.2.11 81 | sudo docker exec docker1 ping 192.168.2.12 82 | 83 | # FROM docker2 84 | # will get ping 85 | sudo docker exec docker2 ping 192.168.2.11 86 | sudo docker exec docker2 ping 192.168.2.12 87 | 88 | # will be failed 89 | sudo docker exec docker2 ping 192.168.1.11 90 | sudo docker exec docker2 ping 192.168.1.12 91 | 92 | 93 | # NAT Conncetivity for recahing the internet 94 | 95 | sudo cat /proc/sys/net/ipv4/ip_forward 96 | 97 | # enabling ip forwarding by change value 0 to 1 98 | sudo sysctl -w net.ipv4.ip_forward=1 99 | sudo sysctl -p /etc/sysctl.conf 100 | sudo cat /proc/sys/net/ipv4/ip_forward 101 | 102 | sudo iptables -t nat -L -n -v 103 | 104 | sudo iptables --append FORWARD --in-interface veth0 --jump ACCEPT 105 | sudo iptables --append FORWARD --out-interface veth0 --jump ACCEPT 106 | sudo iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --jump MASQUERADE -------------------------------------------------------------------------------- /host02.sh: -------------------------------------------------------------------------------- 1 | # Start the VM2/HOST2, update the repository 2 | sudo apt update 3 | 4 | # Install essential tools 5 | sudo apt -y install net-tools docker.io openvswitch-switch 6 | 7 | # Step-01 8 | # Create two bridge using ovs 9 | sudo ovs-vsctl add-br ovs-br0 10 | sudo ovs-vsctl add-br ovs-br1 11 | 12 | # add port/interfaces to bridges 13 | sudo ovs-vsctl add-port ovs-br0 veth0 -- set interface veth0 type=internal 14 | sudo ovs-vsctl add-port ovs-br1 veth1 -- set interface veth1 type=internal 15 | 16 | # check the status of bridges 17 | sudo ovs-vsctl show 18 | 19 | # set the ip to the created port/interfaces 20 | sudo ip address add 192.168.1.1/24 dev veth0 21 | sudo ip address add 192.168.2.1/24 dev veth1 22 | ip a 23 | 24 | # up the interfaces and check status 25 | sudo ip link set dev veth0 up 26 | sudo ip link set dev veth1 up 27 | ip a 28 | 29 | # Step-02 30 | 31 | # create a docker image from the docker file 32 | sudo docker build . -t ubuntu-docker 33 | 34 | # create containers from the created image; Containers not connected to any network 35 | sudo docker run -d --net=none --name docker3 ubuntu-docker 36 | sudo docker run -d --net=none --name docker4 ubuntu-docker 37 | 38 | # check container status and ip 39 | sudo docker ps 40 | sudo docker exec docker3 ip a 41 | sudo docker exec docker4 ip a 42 | 43 | # add ip address to the container using ovs-docker utility 44 | sudo ovs-docker add-port ovs-br0 eth0 docker3 --ipaddress=192.168.1.11/24 --gateway=192.168.1.1 45 | sudo docker exec docker3 ip a 46 | 47 | sudo ovs-docker add-port ovs-br1 eth0 docker4 --ipaddress=192.168.2.11/24 --gateway=192.168.2.1 48 | sudo docker exec docker4 ip a 49 | 50 | # ping the gateway to check if container connected to ovs-bridges 51 | sudo docker exec docker3 ping 192.168.1.1 52 | sudo docker exec docker4 ping 192.168.2.1 53 | 54 | 55 | # Step-03 56 | # one thing to check; as vxlan communicate using udp port 4789, check the current status 57 | netstat -ntulp 58 | 59 | # Create the vxlan tunnel using ovs vxlan feature for both bridges to another hosts bridges 60 | # make sure remote IP and key options; they are important 61 | sudo ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=10.0.1.43 options:key=1000 62 | sudo ovs-vsctl add-port ovs-br1 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=10.0.1.43 options:key=2000 63 | 64 | # check the port again; it should be listening 65 | netstat -ntulp | grep 4789 66 | 67 | sudo ovs-vsctl show 68 | 69 | ip a 70 | 71 | 72 | # It's time to check the connectivity 73 | 74 | # FROM docker1 75 | # will get ping 76 | sudo docker exec docker3 ping 192.168.1.12 77 | sudo docker exec docker3 ping 192.168.1.11 78 | 79 | # will be failed 80 | sudo docker exec docker3 ping 192.168.2.11 81 | sudo docker exec docker3 ping 192.168.2.12 82 | 83 | # FROM docker2 84 | # will get ping 85 | sudo docker exec docker4 ping 192.168.2.11 86 | sudo docker exec docker4 ping 192.168.2.12 87 | 88 | # will be failed 89 | sudo docker exec docker4 ping 192.168.1.11 90 | sudo docker exec docker4 ping 192.168.1.12 91 | 92 | 93 | # NAT Conncetivity for recahing the internet 94 | 95 | sudo cat /proc/sys/net/ipv4/ip_forward 96 | 97 | # enabling ip forwarding by change value 0 to 1 98 | sudo sysctl -w net.ipv4.ip_forward=1 99 | sudo sysctl -p /etc/sysctl.conf 100 | sudo cat /proc/sys/net/ipv4/ip_forward 101 | 102 | sudo iptables -t nat -L -n -v 103 | 104 | sudo iptables --append FORWARD --in-interface veth0 --jump ACCEPT 105 | sudo iptables --append FORWARD --out-interface veth0 --jump ACCEPT 106 | sudo iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --jump MASQUERADE 107 | 108 | sudo iptables --append FORWARD --in-interface veth1 --jump ACCEPT 109 | sudo iptables --append FORWARD --out-interface veth1 --jump ACCEPT 110 | sudo iptables --table nat --append POSTROUTING --source 192.168.2.0/24 --jump MASQUERADE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # VXLAN OPENVSWITCH DOCKER LAB 2 | 3 | ## This hands-on demo will provide an overview of container communication between `multi-node or multi container daemon` under the hood using Open vSwitch, docker and VXLAN. 4 | 5 | #### What is Underlay and Overlay Network? 6 | 7 | `Underlay Network` is physical infrastructure above which overlay network is built. It is the underlying network responsible for delivery of packets across networks. Underlay networks can be Layer 2 or Layer 3 networks. Layer 2 underlay networks today are typically based on Ethernet, with segmentation accomplished via VLANs. The Internet is an example of a Layer 3 underlay network. 8 | 9 | `An Overlay Network` is a virtual network that is built on top of underlying network infrastructure (Underlay Network). Actually, “Underlay” provides a “service” to the overlay. Overlay networks implement network virtualization concepts. A virtualized network consists of overlay nodes (e.g., routers), where Layer 2 and Layer 3 tunneling encapsulation (VXLAN, GRE, and IPSec) serves as the transport overlay protocol. 10 | 11 | #### What is VxLAN? 12 | 13 | `VxLAN — or Virtual Extensible LAN` addresses the requirements of the Layer 2 and Layer 3 data center network infrastructure in the presence of VMs in a multi-tenant environment. It runs over the existing networking infrastructure and provides a means to "stretch" a Layer 2 network. In short, VXLAN is a Layer 2 overlay scheme on a Layer 3 network. Each overlay is termed a VXLAN segment. Only VMs within the same VXLAN segment can communicate with each other. Each VXLAN segment is identified through a 24-bit segment ID, termed the "VNI". This allows up to 16 M VXLAN segments to coexist within the same administrative domain. 14 | 15 | #### What is VNI? 16 | 17 | Unlike VLAN, VxLAN does not have ID limitation. It uses a 24-bit header, which gives us about 16 million VNI’s to use. A VNI `VXLAN Network Identifier (VNI)` is the identifier for the LAN segment, similar to a VLAN ID. With an address space this large, an ID can be assigned to a customer, and it can remain unique across the entire network. 18 | 19 | #### What is VTEP? 20 | 21 | VxLAN traffic is encapsulated before it is sent over the network. This creates stateless tunnels across the network, from the source switch to the destination switch. The encapsulation and decapsulation are handled by a component called a `VTEP (VxLAN Tunnel End Point)`. A VTEP has an IP address in the underlay network. It also has one or more VNI’s associated with it. When frames from one of these VNI’s arrives at the Ingress VTEP, the VTEP encapsulates it with UDP and IP headers. The encapsulated packet is sent over the IP network to the Egress VTEP. When it arrives, the VTEP removes the IP and UDP headers, and delivers the frame as normal. 22 | 23 | 24 | ### Packet Walk 25 | 26 | #### How traffic passes through a simple VxLAN network. 27 | 28 | ![Project Diagram](https://github.com/faysalmehedi/vxlan-ovs-docker-lab/blob/main/vxlan_PacketWalk.png) 29 | 30 | _the diagrom is taken from networkdirection blog_ 31 | 32 | - A frame arrives on a switch port from a host. This port is a regular untagged (access) port, which assigns a VLAN to the traffic - The switch determines that the frame needs to be forwarded to another location. The remote switch is connected by an IP network It may be close or many hops away. 33 | - The VLAN is associated with a VNI, so a VxLAN header is applied. The VTEP encapsulates the traffic in UDP and IP headers. UDP port 4789 is used as the destination port. The traffic is sent over the IP network 34 | - The remote switch receives the packet and decapsulates it. A regular layer-2 frame with a VLAN ID is left 35 | - The switch selects an egress port to send the frame out. This is based on normal MAC lookups. The rest of the process is as normal. 36 | 37 | ### Get an overview of the hands-on from the diagram below 38 | ![Project Diagram](https://github.com/faysalmehedi/vxlan-ovs-docker-lab/blob/main/vxlan-demo.png) 39 | 40 | 41 | ***For this demo, as I am going to keep everything simple and only focus on vxlan feature, anyone can deploy two VM on any hypervisor or virtualization technology. Make sure they are on the same network thus hosts can communicate each other. I launched two ec2 instance(ubuntu) which is on same VPC from AWS to simulate this hands-on. In case of AWS, please allow all traffic in security group to avoid connectivity issues.*** 42 | 43 | #### What are we going to cover in this hands-on demo? 44 | 45 | - We will use two VM for this, will install OpenVSwitch, docker on them 46 | - Then we will create two bridges via OpenVSwitch and configure them 47 | - Then we will create docker container with none network and will connect them to the previously created bridges 48 | - After that the main part of this demo, we will create VXLAN Tunneling between VM's and make the overlay network 49 | - We will how we can ping one host to each other 50 | - Last not least will configure iptables for communicating with the outer world. 51 | 52 | ### Let's start... 53 | 54 | **Step 0: As we already have our VM installed or launch from AWS, please make sure they can communicate each other. It can be done by ping utility. It's important because it means that our UNDERLAY network is working properly. Then update packeages and install essential packeges for this demo on both VM.** 55 | ```bash 56 | # update the repository 57 | sudo apt update 58 | # Install essential tools 59 | sudo apt -y install net-tools docker.io openvswitch-switch 60 | ``` 61 | 62 | **Step 1: Now create two bridges per VM using OpenVSwitch `ovs-vsctl` cli utility.** 63 | 64 | ```bash 65 | # For VM1 & VM2: 66 | # Create two bridge using ovs 67 | sudo ovs-vsctl add-br ovs-br0 68 | sudo ovs-vsctl add-br ovs-br1 69 | ``` 70 | 71 | **Then create the internal port/interfaces to the ovs-bridge:** 72 | ```bash 73 | # For VM1 & VM2 74 | # add port/interfaces to bridges 75 | sudo ovs-vsctl add-port ovs-br0 veth0 -- set interface veth0 type=internal 76 | sudo ovs-vsctl add-port ovs-br1 veth1 -- set interface veth1 type=internal 77 | # ovs-br0 is the bridge name 78 | # veth0 is the interface/port name where type is 'internal' 79 | 80 | # check the status of bridges 81 | sudo ovs-vsctl show 82 | ``` 83 | 84 | **Now it's time to set the IP of the bridges and up the inteface:** 85 | 86 | ```bash 87 | # For VM1 & VM2 88 | 89 | # set the ip to the created port/interfaces 90 | sudo ip address add 192.168.1.1/24 dev veth0 91 | sudo ip address add 192.168.2.1/24 dev veth1 92 | 93 | # Check the status, link should be down 94 | ip a 95 | 96 | # up the interfaces and check status 97 | sudo ip link set dev veth0 up mtu 1450 98 | sudo ip link set dev veth1 up mtu 1450 99 | 100 | # Check the status, link should be UP/UNKNOWN 101 | ip a 102 | ``` 103 | **Step 2: It's time to set docker container with None network. Also as container will not get any internet connection for now, we will need some tools to analysis so I have wriiten a Dockerfile for this. Build the image first then run the container.** 104 | 105 | ```bash 106 | # For VM1 107 | # create a docker image from the docker file 108 | # find the Dockerfile in the repo 109 | sudo docker build . -t ubuntu-docker 110 | 111 | # create containers from the created image; Containers not connected to any network 112 | sudo docker run -d --net=none --name docker1 ubuntu-docker 113 | sudo docker run -d --net=none --name docker2 ubuntu-docker 114 | 115 | # check container status and ip 116 | sudo docker ps 117 | sudo docker exec docker1 ip a 118 | sudo docker exec docker2 ip a 119 | ``` 120 | 121 | ```bash 122 | # For VM2 123 | # create a docker image from the docker file 124 | sudo docker build . -t ubuntu-docker 125 | 126 | # create containers from the created image; Containers not connected to any network 127 | sudo docker run -d --net=none --name docker3 ubuntu-docker 128 | sudo docker run -d --net=none --name docker4 ubuntu-docker 129 | 130 | # check container status and ip 131 | sudo docker ps 132 | sudo docker exec docker3 ip a 133 | sudo docker exec docker4 ip a 134 | ``` 135 | 136 | **Now assign the static IP address to the containers using `ovs-docker` utility. also ping the GW to test the connectivity.** 137 | 138 | ```bash 139 | # For VM1 140 | # add ip address to the container using ovs-docker utility 141 | sudo ovs-docker add-port ovs-br0 eth0 docker1 --ipaddress=192.168.1.11/24 --gateway=192.168.1.1 142 | sudo docker exec docker1 ip a 143 | 144 | sudo ovs-docker add-port ovs-br1 eth0 docker2 --ipaddress=192.168.2.11/24 --gateway=192.168.2.1 145 | sudo docker exec docker2 ip a 146 | 147 | # ping the gateway to check if container connected to ovs-bridges 148 | sudo docker exec docker1 ping 192.168.1.1 149 | sudo docker exec docker2 ping 192.168.2.1 150 | ``` 151 | 152 | ```bash 153 | # For VM2 154 | # add ip address to the container using ovs-docker utility 155 | sudo ovs-docker add-port ovs-br0 eth0 docker3 --ipaddress=192.168.1.11/24 --gateway=192.168.1.1 156 | sudo docker exec docker3 ip a 157 | 158 | sudo ovs-docker add-port ovs-br1 eth0 docker4 --ipaddress=192.168.2.11/24 --gateway=192.168.2.1 159 | sudo docker exec docker4 ip a 160 | 161 | # ping the gateway to check if container connected to ovs-bridges 162 | sudo docker exec docker3 ping 192.168.1.1 163 | sudo docker exec docker4 ping 192.168.2.1 164 | ``` 165 | 166 | **Step 3: Now we are going to establish the VXLAN TUNNELING between the two VM. Most importantly the vxlan ID or VNI and udp port 4789 is important. Also we have to configure the remote IP which is opposite VM IP.** 167 | ```bash 168 | # For VM1 169 | # one thing to check; as vxlan communicate using udp port 4789, check the current status 170 | netstat -ntulp 171 | 172 | # Create the vxlan tunnel using ovs vxlan feature for both bridges to another hosts bridges 173 | # make sure remote IP and key options; they are important 174 | sudo ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=10.0.1.169 options:key=1000 175 | # key is VNI 176 | # vxlan0 is the interface/port name 177 | # type is vxlan which also configures udp port 4789 default 178 | sudo ovs-vsctl add-port ovs-br1 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=10.0.1.169 options:key=2000 179 | 180 | # check the port again; it should be listening 181 | netstat -ntulp | grep 4789 182 | 183 | sudo ovs-vsctl show 184 | 185 | ip a 186 | ``` 187 | ```bash 188 | # For VM 2 189 | # one thing to check; as vxlan communicate using udp port 4789, check the current status 190 | netstat -ntulp 191 | 192 | # Create the vxlan tunnel using ovs vxlan feature for both bridges to another hosts bridges 193 | # make sure remote IP and key options; they are important 194 | sudo ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=10.0.1.43 options:key=1000 195 | sudo ovs-vsctl add-port ovs-br1 vxlan1 -- set interface vxlan1 type=vxlan options:remote_ip=10.0.1.43 options:key=2000 196 | 197 | # check the port again; it should be listening 198 | netstat -ntulp | grep 4789 199 | 200 | sudo ovs-vsctl show 201 | 202 | ip a 203 | 204 | ``` 205 | 206 | **Now test the connectivity and see the magic!** 207 | 208 | ```bash 209 | # FROM docker1 210 | # will get ping 211 | sudo docker exec docker1 ping 192.168.1.12 212 | sudo docker exec docker1 ping 192.168.1.11 213 | 214 | # will be failed 215 | sudo docker exec docker1 ping 192.168.2.11 216 | sudo docker exec docker1 ping 192.168.2.12 217 | 218 | # FROM docker2 219 | # will get ping 220 | sudo docker exec docker2 ping 192.168.2.11 221 | sudo docker exec docker2 ping 192.168.2.12 222 | 223 | # will be failed 224 | sudo docker exec docker2 ping 192.168.1.11 225 | sudo docker exec docker2 ping 192.168.1.12 226 | ``` 227 | 228 | #### The VXLAN TUNNELING is working. We can reach the other host's docker conatiner with same VNI. That's awesome!!! 229 | 230 | **Step 4: But we can communicate between containers with same VNI, but can't reach the outer world. Let's fix that by adding some iptables rules for NATing.** 231 | 232 | _Note: Not going to describe all the commands here cause it's not our main focus. Go to this [link](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/security_guide/s1-firewall-ipt-fwd) for details:_ 233 | 234 | ```bash 235 | # NAT Conncetivity for recahing the internet 236 | 237 | sudo cat /proc/sys/net/ipv4/ip_forward 238 | 239 | # enabling ip forwarding by change value 0 to 1 240 | sudo sysctl -w net.ipv4.ip_forward=1 241 | sudo sysctl -p /etc/sysctl.conf 242 | sudo cat /proc/sys/net/ipv4/ip_forward 243 | 244 | sudo iptables -t nat -L -n -v 245 | 246 | sudo iptables --append FORWARD --in-interface veth0 --jump ACCEPT 247 | sudo iptables --append FORWARD --out-interface veth0 --jump ACCEPT 248 | sudo iptables --table nat --append POSTROUTING --source 192.168.1.0/24 --jump MASQUERADE 249 | ``` 250 | 251 | ```bash 252 | # ping the outer world, should not reach the internet 253 | ping 1.1.1.1 -c 2 254 | 255 | # Now let's make NAT Conncetivity for recahing the internet 256 | 257 | sudo cat /proc/sys/net/ipv4/ip_forward 258 | 259 | # enabling ip forwarding by change value 0 to 1 260 | sudo sysctl -w net.ipv4.ip_forward=1 261 | sudo sysctl -p /etc/sysctl.conf 262 | sudo cat /proc/sys/net/ipv4/ip_forward 263 | 264 | # see the rules 265 | sudo iptables -t nat -L -n -v 266 | 267 | sudo iptables --append FORWARD --in-interface veth1 --jump ACCEPT 268 | sudo iptables --append FORWARD --out-interface veth1 --jump ACCEPT 269 | sudo iptables --table nat --append POSTROUTING --source 192.168.2.0/24 --jump MASQUERADE 270 | 271 | # ping the outer world now, should be working now 272 | ping 1.1.1.1 -c 2 273 | ``` 274 | 275 | #### Now the hands on completed; 276 | --------------------------------------------------------------------------------