IP Forwarding

mecheri · 04-07-2014, 08:26 AM

Hi everyone,

I have installed kvm on my ubuntu pc.
I have created 3 VMs, two on the 192.168.122.0 network and one on the 192.168.100.0 network.

When a packet comes from 192.168.100.190 (outside.example.org) and goes to the 192.168.122.0/24 network.
The 2 VMs (server.example.com and client.example.com) see it as coming from 192.168.122.1 and NOT from 192.168.100.190 as expected !!

Examples:

- When I run a ping command from 192.168.100.190 (outside.example.org) the output of the tcpdump command on 192.168.100.103 shows this:

# tcpdump -i eth0 -v icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:40:57.249450 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.122.1 > server.example.com: ICMP echo request, id 13, seq 1, length 64

- When I send an http client request (elinks browser) from 192.168.100.190 to the httpd server on 192.168.100.103 the logs file on this shows :

192.168.122.1 - - [06/Apr/2014:14:39:43 +0200] "GET / HTTP/1.1" 200 17

Any idea ?

pingu · 04-07-2014, 12:12 PM

192.168.122.1 - that would be the ip of kvm host,right? Or is it some other router configured here?
It sounds to me as NAT is being used. If you don't want that between your 192.168.122.1 private networks you'll have to configure the device with ip 192.168.122.1 .

mecheri · 04-08-2014, 04:21 AM

Hi,

Thanks for your reply.

192.168.122.1 is the IP of the first virtual interface of the kvm host.

eth0 inet addr:192.168.1.26 Bcast:192.168.1.255 Mask:255.255.255.0
virbr0 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
virbr1 inet addr:192.168.100.1 Bcast:192.168.100.255 Mask:255.255.255.0

>>It sounds to me as NAT is being used.
Yes it is

*nat
:PREROUTING ACCEPT [960:118740]
:INPUT ACCEPT [594:90857]
:OUTPUT ACCEPT [3190:201902]
:POSTROUTING ACCEPT [3515:222655]
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.100.0/24 ! -d 192.168.100.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT

>> If you don't want that between your 192.168.122.1 private networks you'll have to configure the device with ip 192.168.122.1

Sorry I don't get it ! what do you mean ? which device ?

pingu · 04-09-2014, 12:37 PM

Now I don't quite understand you.
You are using NAT, you have obviously set it up yourself. But you don't want NAT? Well then remove those rules.

Maybe you don't really know what NAT is:
When NAT is used on a router/firewall, it takes the actual incoming IP and translates it to it's own.
That's how you can use private ip's on your server and still have it reachable from internet.
So, your NAT rules will replace the senders ip with routers ip. That's why you get 192.168.122.1 in the logs.

Or maybe I completely misunderstand you?