Routing incoming traffic to NAT'ed VM on a hired dedicated server

merlininthewood · 05-21-2010, 07:03 AM

Here's my situation:

I have set up a Virtual machine on a dedicated server from 1and1. I hoped to use a bridge to give the vm direct access to the internet but 1and1 do mac filtering and so the only option is to use NAT.

I used Virtual Machine Manager on my Ubuntu 10.04 machine at home to install Debain Lenny on the vm on the server using KVM and all went well. I put it on a virtual network 192.168.100.0 and i can access it from the host and i can access the internet from the guest using NAT that libvirt set-up.

I bought another ip address from 1and1 with the hope of forwarding packets to the new ip address 11.22.33.02 to the guest vm.

I have tried all sorts of routing rules using iptables without any success.

my virtual network is on virbr1
the guest ip is 192.168.100.50
my external network device is ip say 11.22.33.01 on eth0
with the secondary ip say 11.22.33.02 on eth0:1

Here are the latest rules i tried:

Quote:

iptables -t nat -A PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to-destination 192.168.100.50
iptables -t nat -A POSTROUTING -s 192.168.100.50 -o eth0 -j SNAT --to-source 11.22.33.02
iptables -A FORWARD -p tcp -i eth0 -o virbr1 -d 192.168.100.50 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -t nat -L
then gives me

Quote:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere 11.22.33.02 to:192.168.100.50

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.100.0/24 !192.168.100.0/24
SNAT all -- 192.168.100.50 anywhere to:11.22.33.02

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and
#iptables -L FORWARD

Quote:

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.100.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.100.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere 192.168.100.50 state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

But i can't access the vm from the internet on 11.22.33.02 the packets get lost

What am i missing? I have looked around the internet for ages but not found any guidence on this type of setup that has worked. I am no expert on iptables and have only tried other peoples setups who are in similar situations.

Any help will be much appreciated!!

HasC · 05-21-2010, 01:40 PM

I think it's best to try from the ground up:

Code:

$ iptables -t nat -I PREROUTING -d 11.22.33.02 -i eth0 -j DNAT --to 192.168.100.50
$ iptables -I FORWARD -p tcp -i eth0 -d 192.168.100.50 -j ACCEPT
$ iptables -I FORWARD -p tcp -o eth0 -s 192.168.100.50 -j ACCEPT

More permisive. And when you get it working, only then start adding restrictions (antispoofing and such)

And I've changed the "-A" (append) for "-I" (insert), so these new rules will be the first ones to evaluate.

merlininthewood · 05-21-2010, 03:30 PM

Code:

#/bin/sh
for ((  i = 0 ;  i <= 3;  i++  ))
do
  echo "Thankyou!"
done

I was tearing my hair out on this one. I did wonder whether using (I) insert to get the rule at the top of the table would make a difference. I still don't fully understand how iptables works (need to read up on it more) but i am grateful for a solution to this.

Is there anything I should be concerned about in terms of security with this set up? I trust (as much as you can) users on the host and the guest.

Thanks again

Merlin