Latest LQ Deal: Linux Power User Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 05-21-2010, 07:03 AM   #1
LQ Newbie
Registered: Oct 2004
Location: Devon, England
Distribution: Debian Stable
Posts: 26

Rep: Reputation: 0
Routing incoming traffic to NAT'ed VM on a hired dedicated server

Here's my situation:

I have set up a Virtual machine on a dedicated server from 1and1. I hoped to use a bridge to give the vm direct access to the internet but 1and1 do mac filtering and so the only option is to use NAT.

I used Virtual Machine Manager on my Ubuntu 10.04 machine at home to install Debain Lenny on the vm on the server using KVM and all went well. I put it on a virtual network and i can access it from the host and i can access the internet from the guest using NAT that libvirt set-up.

I bought another ip address from 1and1 with the hope of forwarding packets to the new ip address to the guest vm.

I have tried all sorts of routing rules using iptables without any success.

my virtual network is on virbr1
the guest ip is
my external network device is ip say on eth0
with the secondary ip say on eth0:1

Here are the latest rules i tried:
iptables -t nat -A PREROUTING -d -i eth0 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source
iptables -A FORWARD -p tcp -i eth0 -o virbr1 -d -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -L
then gives me
target prot opt source destination
DNAT all -- anywhere to:

target prot opt source destination
SNAT all -- anywhere to:

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
But i can't access the vm from the internet on the packets get lost

What am i missing? I have looked around the internet for ages but not found any guidence on this type of setup that has worked. I am no expert on iptables and have only tried other peoples setups who are in similar situations.

Any help will be much appreciated!!
Old 05-21-2010, 01:40 PM   #2
Registered: Oct 2009
Location: South America - Paraguay
Distribution: Debian 5 - Slackware 13.1 - Arch - Some others linuxes/*BSDs through KVM and Xen
Posts: 329

Rep: Reputation: 55
I think it's best to try from the ground up:

$ iptables -t nat -I PREROUTING -d -i eth0 -j DNAT --to
$ iptables -I FORWARD -p tcp -i eth0 -d -j ACCEPT
$ iptables -I FORWARD -p tcp -o eth0 -s -j ACCEPT
More permisive. And when you get it working, only then start adding restrictions (antispoofing and such)

And I've changed the "-A" (append) for "-I" (insert), so these new rules will be the first ones to evaluate.
1 members found this post helpful.
Old 05-21-2010, 03:30 PM   #3
LQ Newbie
Registered: Oct 2004
Location: Devon, England
Distribution: Debian Stable
Posts: 26

Original Poster
Rep: Reputation: 0
for ((  i = 0 ;  i <= 3;  i++  ))
  echo "Thankyou!"
I was tearing my hair out on this one. I did wonder whether using (I) insert to get the rule at the top of the table would make a difference. I still don't fully understand how iptables works (need to read up on it more) but i am grateful for a solution to this.

Is there anything I should be concerned about in terms of security with this set up? I trust (as much as you can) users on the host and the guest.

Thanks again



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Outgoing traffic from domain with dedicated IP vscoder Linux - Server 1 03-05-2010 02:36 AM
Routing incoming mail to another SMTP server phil1076 Linux - Server 2 01-27-2010 03:40 PM
Incoming traffic prioritize dorian33 Linux - Networking 8 10-26-2008 05:44 AM
monitoring the incoming traffic narendra.pant Linux - Networking 1 08-11-2006 04:21 PM
Allow Incoming Traffic clarence1720 Mandriva 15 12-06-2004 11:26 PM

All times are GMT -5. The time now is 04:49 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration