Hi.
I'm running two lxc containers onto a VPS machine. The first one (192.168.1.2) is running an openvpn server while the second one (192.168.1.4) is running a web server.
Until now i used only the openvpn lxc and had these iptables rules for forwarding the traffic:
Code:
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*filter
:INPUT ACCEPT [1189211:150089991]
:FORWARD ACCEPT [902865:826112449]
:OUTPUT ACCEPT [1324099:212970374]
COMMIT
# Completed on Fri Apr 28 16:07:58 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:07:58 2017
*nat
:PREROUTING ACCEPT [36:1998]
:INPUT ACCEPT [17:858]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Now, that I want to set up the web server, i added this iptables rule in order to forward http traffic to web server container.
Code:
iptables -t nat -A PREROUTING -p tcp -m conntrack --ctstate NEW --dport 80 -j DNAT --to-destination 192.168.1.4:80
The thing is that while the forwarding to port 80 seems to work (I can visit nginx's welcome page), openvpn clients doesn't have proper internet connection (although they can ping outside world). And by this, I mean that sites loads very slow and some others don't load at all ( It seems that http traffic is getting lost somewhere). If I remove the above rule everything in the openvpn client connection is working as expected.
P.S : The final rules are these
Code:
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*filter
:INPUT ACCEPT [1190228:150215153]
:FORWARD ACCEPT [902877:826113261]
:OUTPUT ACCEPT [1325229:213163664]
COMMIT
# Completed on Fri Apr 28 16:39:24 2017
# Generated by iptables-save v1.4.21 on Fri Apr 28 16:39:24 2017
*nat
:PREROUTING ACCEPT [1:44]
:INPUT ACCEPT [1:44]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.2:1194
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j DNAT --to-destination 192.168.1.4:80
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 28 16:39:24 2017
Are these rules that I've set correct ? What's your opinion ? Any idea is welcomed.