Need help with iptables routing
 

Hello guys,

i am facing some difficulties creating some iptables rules. I would appreciate some help

Diagram

So this is the diagram. I have 2 servers and one VM. On server 1 i have 2 public ips. I use the main for the server itself but the second one is free. On server 2 i have just one ip. I want the VM to have public IP so basically I want to route all traffic from 1.1.1.2 to vm machine(4.4.4.5) on server2. So for example if i open putty and give address 1.1.1.2 port 22 i am logging directly to 4.4.4.5 port 22. On the other side i want 4.4.4.5 to route to 1.1.1.2 and then to internet. The idea being VM1 to operate with 1.1.1.2 as if it is its own IP. I would appreciate some help with the iptables rules. Thanks

Hi: & Welcome to Linux Questions-:)

Configuring and managing iptables is not my area of expertise; sorry:-

You'll need the assistance from members here that have that experience. So until they chime in hang in there and try some of these links. You should mention what distribution you are running.
Good Luck to you-:)

http://www.thegeekstuff.com/2011/06/...ules-examples/
http://www.cyberciti.biz/tips/linux-...-examples.html

https://www.digitalocean.com/communi...s-and-commands
https://wiki.archlinux.org/index.php/iptables

There are several things to take into consideration. On the one hand, it's the NAT. You're going to need to use SNAT for the private LANs.

Is server1 going to be used as a router for the entire network?

You also need to take into consideration routing (you probably need to use static routes), which you don't set up in iptables, but with the ip command (or route, which is slightly deprecated).

What do you mean by saying that on server 2 you have only one ip?
From the diagram, I'd infer that you have 2 IPs (2.2.2.2 and 4.4.4.4), and you should have a third IP for the 3.3.3.3 network. And probably another interface? Or a second ip on the same interface for the private LAN?

Thanks for the answer. I checked out the links as many others during the last 3 days. I have some partial success, but overall not working.

Yes, the second ip is going to be used as router.

the idea being

i make ssh/http request to 1.1.1.2 and 4.4.4.5 answers the request
also if i check out my external public ip from 4.4.4.5 via "wget http://ipinfo.io/ip -qO -" for example i want to get 1.1.1.2, so all traffic to internet is routed via 1.1.1.2

2.2.2.2 is public address of server2
3.3.3.3 is shown as address on eth0 on server2. i guess i am assigned by dhcp from host
4.4.4.4 is bridge i use in order to connect to vm

btw all machines are debian

All right, so what are you going to use 1.1.1.1 for then? On the diagram it says that it's the main ip, but from what you're saying, it's seems to be the secondary ip.

Or is it secondary only in a conventional way, as it's eth0:0?

You're Welcome-

vincix:
Thanks for joining the thread-:)

1.1.1.1 is the main public address on eth0. i want to use it for http for example
1.1.1.2 is on eth0:0 and it is secondary/spare. this is the one i want to use on the vm hosted on server2

Seems simple enough. You are going to have to DNAT 1.1.1.2:22 to 4.4.4.5:22 on Server1.

DNAT will take place in the PREROUTE rules on Server1
And make sure you have the proper rule in your FORWARD rules on Server1 (I am hoping you have a rule for ESTABLISHED,RELATED already)
You are also going to need a FORWARDing rule on Server2. I'll let you figure out how you want that rule to look.


And you are going to need the postroute rule for return traffic also on Server1
You are going to have to ensure that Server1 knows how to get to VM1 via route.

Please keep in mind the above is only from memory so you might want to double check the rules to ensure they will work properly in your environment. There maybe mistakes in them I have not verified them myself.

Thanks for the answer with examples! Isnt that overly simplified though? How does 1.1.1.2 know where 4.4.4.5 is? Should we first DNAT to server2 and then server2 DNAT to 4.4.4.5?

Yes, it simply works. As to double DNAT I try and stay away from that. Less problems when troubleshooting. and once you are in the internal network everything should already know how to get to ever other node on the network.

If you will re-read my post I stated there towards the end that you have to ensure Server1 knows how to reach VM1. This can be done with routing. Add a route for 4.4.4.0/24 (assuming that this network is a class C) to Seerver1 pointing to Server2 Now Server1 knows how to get to VM1.

Hi all.
Can someone help me on this:
I have 3 virtual machines with ubuntu; that is 3 computers.
Left is pcA 10.0.0.4 eth0. It has default route to 10.0.0.1.
Then pcB which is router. eth0 192.168.0.105, and i created virtual interface eth0:left 10.0.0.1.
Right is 192.168.0.106 pcC. It doesnt have a route to network 10.0.0.0/24.
I want to ssh from pcC to pcA , actually to router which i want to conect me to pcA (port fowrading and DNAT)
so, from pcC type: ssh 192.168.0.105 and connect to pcA.

iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0:left -o eth0 -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0:left -p tcp --dport 22 -j ACCEPT
(or this instead: iptables -A FORWARD -p tcp -d 10.0.0.4 --dport 22 -j ACCEPT)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.0.0.4:22
echo 1 > /proc/sys/net/ipv4/ip_forward

It wont work, unless : iptables -P FORWARD ACCEPT
So i guess something is not ok with FORWARD chains...

I'v lost 3 hours on this already..

tnx in advance

Welcome to LQ griswold27.

-::-Rather than take over/use me3ka86 thread for your issue it would be better for you to start your own thread.-::-