[SOLVED] Iptables and network bridge

brianmcgee · 12-15-2010, 04:37 PM

Hello,

I have the following XEN network setup at hand:

Code:

IPTABLES
br0 - Public IP 123.123.123.123
+---eth0

vbr0 - DMZ IP 192.168.1.1
+---vif Virtual Machine with IP 192.168.1.42

Goals:

Forward requests on tcp port 80 to the virtual machine with the IP 192.168.1.42.
The virtual machine should get updates from the internet
The virtual machine should successfully ping Public IP 123.123.123.123
The virtual machine should successfully ping 192.168.1.1
The virtualization host should successfully ping 192.168.1.42
IPtables has default drop policy.

Some thoughts:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Forward port 80 to httpd in virtual machine
iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
iptables -A INPUT -i br0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -m state --state NEW -p tcp -d 192.168.1.42 --dport 80 -j ACCEPT

# Allow internet access in virtual machine
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.42/255.255.255.0 -o br0 -j SNAT --to 123.123.123.123

Currently working/not working:
Internet in the virtual machine is ok: VM can ping google and wget index.html
VM does not get ping reply to ip 192.168.1.42, 192.168.1.1 nor 123.123.123.123

How can I further debug this issue? What did I miss? Thanks!

frankbell · 12-16-2010, 08:43 PM

Maybe this thread will help.

brianmcgee · 12-17-2010, 02:39 PM

Thanks for the help!

The solution was trivial. All was setup correct. Icmp was ignored by host. The following code solved the issue:

Code:

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all