Need help with iptables routing
Hello guys,
i am facing some difficulties creating some iptables rules. I would appreciate some help Diagram So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks |
Hi: & Welcome to Linux Questions-:)
Configuring and managing iptables is not my area of expertise; sorry:- You'll need the assistance from members here that have that experience. So until they chime in hang in there and try some of these links. You should mention what distribution you are running. Good Luck to you-:) http://www.thegeekstuff.com/2011/06/...ules-examples/ http://www.cyberciti.biz/tips/linux-...-examples.html https://www.digitalocean.com/communi...s-and-commands https://wiki.archlinux.org/index.php/iptables |
Quote:
Is server1 going to be used as a router for the entire network? You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated). |
What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN? |
Thanks for the answer. I checked out the links as many others during the last 3 days. I have some partial success, but overall not working.
|
Quote:
the idea being i make ssh/http request to 1.1.1.2 and 4.4.4.5 answers the request also if i check out my external public ip from 4.4.4.5 via "wget http://ipinfo.io/ip -qO -" for example i want to get 1.1.1.2, so all traffic to internet is routed via 1.1.1.2 |
Quote:
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host 4.4.4.4 is bridge i use in order to connect to vm btw all machines are debian |
Quote:
Or is it secondary only in a conventional way, as it's eth0:0? |
Quote:
vincix: Thanks for joining the thread-:) |
Quote:
1.1.1.1 is the main public address on eth0. i want to use it for http for example 1.1.1.2 is on eth0:0 and it is secondary/spare. this is the one i want to use on the vm hosted on server2 |
Seems simple enough. You are going to have to DNAT 1.1.1.2:22 to 4.4.4.5:22 on Server1.
DNAT will take place in the PREROUTE rules on Server1 Code:
iptables -t nat -A PREROUTE -i eth0 -m tcp -p tcp --dport 22 -j DNAT --to-destination 4.4.4.5 Code:
iptables -A FORWARD -i eth0 -m tcp -p tcp -d 4.4.4.5 --dport 22 -m conntrack --ctstate NEW -j ACCEPT And you are going to need the postroute rule for return traffic also on Server1 Code:
iptables -t nat -A POSTROUTE -o eth0 -m tcp -p tcp -s 4.4.4.5 --sport 22 -j SNAT --to-source 1.1.1.2 Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself. |
Quote:
|
Quote:
If you will re-read my post I stated there towards the end that you have to ensure Server1 knows how to reach VM1. This can be done with routing. Add a route for 4.4.4.0/24 (assuming that this network is a class C) to Seerver1 pointing to Server2 Now Server1 knows how to get to VM1. |
Hi all.
Can someone help me on this: I have 3 virtual machines with ubuntu; that is 3 computers. Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1. Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1. Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24. I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT) so, from pcC type: ssh 192.168.0.105 and connect to pcA. iptables -P INPUT ACCEPT iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT (or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT) iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.4:22 echo 1 > /proc/sys/net/ipv4/ip_forward It wont work, unless : iptables -P FORWARD ACCEPT So i guess something is not ok with FORWARD chains... I'v lost 3 hours on this already.. tnx in advance |
Quote:
Welcome to LQ griswold27. -::-Rather than take over/use me3ka86 thread for your issue it would be better for you to start your own thread.-::- |
All times are GMT -5. The time now is 04:44 AM. |