Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks
Configuring and managing iptables is not my area of expertise; sorry:-
You'll need the assistance from members here that have that experience. So until they chime in hang in there and try some of these links. You should mention what distribution you are running.
Good Luck to you-
So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks
There are several things to take into consideration. On the one hand, it's the NAT. You're going to need to use SNAT for the private LANs.
Is server1 going to be used as a router for the entire network?
You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated).
What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN?
There are several things to take into consideration. On the one hand, it's the NAT. You're going to need to use SNAT for the private LANs.
Is server1 going to be used as a router for the entire network?
You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated).
Yes, the second ip is going to be used as router.
the idea being
i make ssh/http request to 1.1.1.2 and 4.4.4.5 answers the request
also if i check out my external public ip from 4.4.4.5 via "wget http://ipinfo.io/ip -qO -" for example i want to get 1.1.1.2, so all traffic to internet is routed via 1.1.1.2
What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN?
2.2.2.2 is public address of server2
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host
4.4.4.4 is bridge i use in order to connect to vm
2.2.2.2 is public address of server2
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host
4.4.4.4 is bridge i use in order to connect to vm
btw all machines are debian
All right, so what are you going to use 1.1.1.1 for then? On the diagram it says that it's the main ip, but from what you're saying, it's seems to be the secondary ip.
Or is it secondary only in a conventional way, as it's eth0:0?
All right, so what are you going to use 1.1.1.1 for then? On the diagram it says that it's the main ip, but from what you're saying, it's seems to be the secondary ip.
Or is it secondary only in a conventional way, as it's eth0:0?
1.1.1.1 is the main public address on eth0. i want to use it for http for example
1.1.1.2 is on eth0:0 and it is secondary/spare. this is the one i want to use on the vm hosted on server2
You are going to have to ensure that Server1 knows how to get to VM1 via route.
Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself.
You are going to have to ensure that Server1 knows how to get to VM1 via route.
Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself.
Thanks for the answer with examples! Isnt that overly simplified though? How does 1.1.1.2 know where 4.4.4.5 is? Should we first DNAT to server2 and then server2 DNAT to 4.4.4.5?
Thanks for the answer with examples! Isnt that overly simplified though? How does 1.1.1.2 know where 4.4.4.5 is? Should we first DNAT to server2 and then server2 DNAT to 4.4.4.5?
Yes, it simply works. As to double DNAT I try and stay away from that. Less problems when troubleshooting. and once you are in the internal network everything should already know how to get to ever other node on the network.
If you will re-read my post I stated there towards the end that you have to ensure Server1 knows how to reach VM1. This can be done with routing. Add a route for 4.4.4.0/24 (assuming that this network is a class C) to Seerver1 pointing to Server2 Now Server1 knows how to get to VM1.
Hi all.
Can someone help me on this:
I have 3 virtual machines with ubuntu; that is 3 computers.
Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1.
Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1.
Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24.
I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT)
so, from pcC type: ssh 192.168.0.105 and connect to pcA.
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT
(or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT)
Hi all.
Can someone help me on this:
I have 3 virtual machines with ubuntu; that is 3 computers.
Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1.
Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1.
Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24.
I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT)
so, from pcC type: ssh 192.168.0.105 and connect to pcA.
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT
(or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.