Notes - ip, iptables, and other unix networking commands

Follows are command lines that I often use (not necessarily the best approach) while interacting with ip, which is used to show / manipulate routing, devices, policy routing and tunnels.

• Show current routes.

  ip route show
  

• Add route:

  sudo ip route add `a.b.c.d/e` via `gateway_IP` dev `device_name`
  

  a.b.c.d/e can be the subnet of IPs or just an IP address of the desired destination, and the gateway_IP is the IP address of the gateway where you want to route your traffic through (e.g., 192.168.1.1), and device_name is the name of the interface via which you want to route your traffic (e.g.).

• Delete route:

  ip route del `a.b.c.d/e`
  

• Remove an interface/device:

  ip link set dev `interface_name` down
  

  or,

  ip link delete `interface_name`
  

• Flush current ip table (CAUTION! you may be kicked out from machine if you don’t have other means of accessing it, e.g. console, physical access, etc):

  sudo ip route flush table main
  

  You may want to chain the above command with sudo service NetworkManager restart to reboot network, thus gaining back access to the machine immediately. Note: make sure you have NetworkManager on your machine.

• Forward ports for KVM on Linux

  sudo iptables -t nat -I PREROUTING -p <protocol> -d <host_public_ip> --dport <host_open_port> -j DNAT --to-destination <vm_local_ip>:<vm_local_port>
  sudo iptables -I FORWARD -m state -d <vm_local_ip> --state NEW,RELATED,ESTABLISHED -j ACCEPT
  
  

• Forward packets on Ubuntu after enabling wifi hotspot

  sudo iptables -t nat -A POSTROUTING -o `wired_interface` -j MASQUERADE
  sudo iptables -A FORWARD -i `wifi_interface` -o `wired_interface` -j ACCEPT
  sudo iptables -A FORWARD -i `wired_interface` -o `wifi_interface` -m state --state RELATED,ESTABLISHED -j ACCEPT
  

• Configure a fixed IP address for a device, by creating a yaml file under /etc/netplan/ (e.g., 01-netcfg.yaml):

  network:
    version: 2
    renderer: networkd  # this can be NetworkManager or networkd
    ethernets:
      eth0:  # Your device name
        dhcp4: no
        addresses: [x.x.x.y/24]  # Your static IP and subnet mask
        gateway4: x.x.x.x          # Your gateway address
        nameservers:
          addresses: [1.1.1.1, 9.9.9.9]  # DNS servers (Quad1 and Quad9 used here)
  

  Make sure the permissions of the file is not too open. Netplan configuration should NOT be accessible by others. Change the permission of the file to 600 (i.e., sudo chmod 600 01-netcfg.yaml).

  Then, run sudo netplan apply to apply the changes. If after applying the changes, the machine still uses the old IP address, it is possible that the desired IP address is already taken by another device. In this case, you can try to restart the machine, or change the IP address to another one.

  If you see gateway4 has been deprecated warning, you can change the directive to:

  network:
      version: 2
      renderer: networkd
      ethernets:
          eth0:
          dhcp4: no
          addresses: [x.x.x.y/24]  # Your static IP and subnet mask
          routes:
              - to: default
              via: x.x.x.x          # Your gateway address
          nameservers:
              addresses: [1.1.1.1, 9.9.9.9]  # DNS servers (Quad1 and Quad9 used here)
  

  To debug, you can run sudo netplan --debug apply to see what’s wrong.