LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 05-21-2010, 07:03 AM   #1
merlininthewood
LQ Newbie
 
Registered: Oct 2004
Location: Devon, England
Distribution: Ubuntu 10.04, Debian Lenny
Posts: 21

Rep: Reputation: 0
Routing incoming traffic to NAT'ed VM on a hired dedicated server


Here's my situation:

I have set up a Virtual machine on a dedicated server from 1and1. I hoped to use a bridge to give the vm direct access to the internet but 1and1 do mac filtering and so the only option is to use NAT.

I used Virtual Machine Manager on my Ubuntu 10.04 machine at home to install Debain Lenny on the vm on the server using KVM and all went well. I put it on a virtual network 192.168.100.0 and i can access it from the host and i can access the internet from the guest using NAT that libvirt set-up.

I bought another ip address from 1and1 with the hope of forwarding packets to the new ip address 11.22.33.02 to the guest vm.

I have tried all sorts of routing rules using iptables without any success.

my virtual network is on virbr1
the guest ip is 192.168.100.50
my external network device is ip say 11.22.33.01 on eth0
with the secondary ip say 11.22.33.02 on eth0:1

Here are the latest rules i tried:
Quote:
iptables -t nat -A PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to-destination 192.168.100.50
iptables -t nat -A POSTROUTING -s 192.168.100.50 -o eth0 -j SNAT --to-source 11.22.33.02
iptables -A FORWARD -p tcp -i eth0 -o virbr1 -d 192.168.100.50 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -L
then gives me
Quote:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 11.22.33.02 to:192.168.100.50

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
SNAT all -- 192.168.100.50 anywhere to:11.22.33.02

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and
#iptables -L FORWARD
Quote:
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.100.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere 192.168.100.50 state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
But i can't access the vm from the internet on 11.22.33.02 the packets get lost

What am i missing? I have looked around the internet for ages but not found any guidence on this type of setup that has worked. I am no expert on iptables and have only tried other peoples setups who are in similar situations.

Any help will be much appreciated!!
 
Old 05-21-2010, 01:40 PM   #2
HasC
Member
 
Registered: Oct 2009
Location: South America - Paraguay
Distribution: Debian 5 - Slackware 13.1 - Arch - Some others linuxes/*BSDs through KVM and Xen
Posts: 329

Rep: Reputation: 55
I think it's best to try from the ground up:

Code:
$ iptables -t nat -I PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to 192.168.100.50
$ iptables -I FORWARD -p tcp -i eth0 -d 192.168.100.50 -j ACCEPT
$ iptables -I FORWARD -p tcp -o eth0 -s 192.168.100.50 -j ACCEPT
More permisive. And when you get it working, only then start adding restrictions (antispoofing and such)

And I've changed the "-A" (append) for "-I" (insert), so these new rules will be the first ones to evaluate.
 
1 members found this post helpful.
Old 05-21-2010, 03:30 PM   #3
merlininthewood
LQ Newbie
 
Registered: Oct 2004
Location: Devon, England
Distribution: Ubuntu 10.04, Debian Lenny
Posts: 21

Original Poster
Rep: Reputation: 0
Code:
#/bin/sh
for ((  i = 0 ;  i <= 3;  i++  ))
do
  echo "Thankyou!"
done
I was tearing my hair out on this one. I did wonder whether using (I) insert to get the rule at the top of the table would make a difference. I still don't fully understand how iptables works (need to read up on it more) but i am grateful for a solution to this.

Is there anything I should be concerned about in terms of security with this set up? I trust (as much as you can) users on the host and the guest.

Thanks again

Merlin
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Outgoing traffic from domain with dedicated IP vscoder Linux - Server 1 03-05-2010 02:36 AM
Routing incoming mail to another SMTP server phil1076 Linux - Server 2 01-27-2010 03:40 PM
Incoming traffic prioritize dorian33 Linux - Networking 8 10-26-2008 05:44 AM
monitoring the incoming traffic narendra.pant Linux - Networking 1 08-11-2006 04:21 PM
Allow Incoming Traffic clarence1720 Mandriva 15 12-06-2004 11:26 PM


All times are GMT -5. The time now is 05:04 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration