Public IP routing, possible NAT guest onto host?

ThelenShar · 12-27-2010, 06:53 AM

I have a server with 4 publicly routable IPs, and I want to put 4 VM on it and have them each with a public IP. Is this possible? I would assume with clever NAT I could do it, but I am not sure (even less sure what VM solutions support it).

Otherwise, I will only be able to have 3 VM, as 1 IP is used by the host, which would require buying more IPs.

kirukan · 12-27-2010, 07:59 AM

If your Server have capacity(memory cpu and disk) you can run 4 VM with private IP's, NAT the local VM IP's with respective public IP on default gateway from where the local traffic route to the internet(may be it could be a router)

telecom_is_me · 12-27-2010, 02:13 PM

You can apply multiple public ip's to the same interface on your host system by simply adding virtual interfaces with ifconfig. As in, "ifconfig eth0 192.168.1.2", "ifconfig eth0:1 192.168.1.3", "ifconfig eth0:2 192.168.1.4" and so on. This enables one physical interface to have multiple ip's. Now yes it's true that there are better ways of doing this, the fact is that this works quick and simple. As for binding the interfaces to your virtual machines, that's a much more involved question and depends on what virtualization system your using.

ThelenShar · 12-27-2010, 11:13 PM

Neither of you understand what I want to do, sadly.

frieza · 12-28-2010, 12:02 AM

or maybe you aren't understanding the answer given?

it would be the HOST operating system that does the NAT translation, not the VM guests

you could do something like this

Code:

#!/bin/bash
WANIF='eth0'
WANMASK='255.255.255.0'
ifconfig $WANIF:1 X.X.X.106 netmask $WANMASK
ifconfig $WANIF:2 X.X.X.107 netmask $WANMASK
ifconfig $WANIF:3 X.X.X.108 netmask $WANMASK

iptables -t nat -p tcp -m tcp --dport 80 -I PREROUTING -d X.X.X.105 -j DNAT --to Y.Y.Y.19:80
iptables -t nat -p tcp -m tcp --dport 80 -I PREROUTING -d X.X.X.106 -j DNAT --to Y.Y.Y.20:80
iptables -t nat -p tcp -m tcp --dport 80 -I PREROUTING -d X.X.X.107 -j DNAT --to Y.Y.Y.21:80
iptables -t nat -p tcp -m tcp --dport 80 -I PREROUTING -d X.X.X.108 -j DNAT --to Y.Y.Y.22:80

iptables -I FORWARD -d X.X.X.105 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d X.X.X.106 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d X.X.X.107 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d X.X.X.108 -p tcp --dport 80 -j ACCEPT

iptables -t nat -I POSTROUTING -s Y.Y.Y.19 -j SNAT --to X.X.X.105
iptables -t nat -I POSTROUTING -s Y.Y.Y.20 -j SNAT --to X.X.X.106
iptables -t nat -I POSTROUTING -s Y.Y.Y.21 -j SNAT --to X.X.X.107
iptables -t nat -I POSTROUTING -s Y.Y.Y.22 -j SNAT --to X.X.X.108

X.X.X.105 is assumed to be the actual eth0 IP address
the scripts shown here are used on a dd-wrt router, so the first lines specifying the interface and defining the virtual IPs would probably be better done in /etc/network/interfaces (or equivilent for fedora), but the rest is generic enough that it should run on almost ANY *NIX setup that uses iptables

replacing the X.X.X addresses with the PUBLIC IP addresses
and the Y.Y.Y addresses with the PRIVATE IP addresses of the virtual machines
and of course you would repeat the lines from the first two sections for each combination of public addr/private addr/port (one port per public IP)

of course the above assumes that the VMs are web servers (port 80), but you could easily change the port numbers to suit whatever services are running on each, of course if one is a web server, one a mail server, and one an ftp server then with the above setup you only would in theory need one public ip

Code:

#!/bin/bash
iptables -t nat -p tcp -m tcp --dport 80 -I PREROUTING -d X.X.X.105 -j DNAT --to Y.Y.Y.19:80
iptables -t nat -p tcp -m tcp --dport 21 -I PREROUTING -d X.X.X.105 -j DNAT --to Y.Y.Y.20:21
iptables -t nat -p tcp -m tcp --dport 25 -I PREROUTING -d X.X.X.105 -j DNAT --to Y.Y.Y.21:25
iptables -t nat -p tcp -m tcp --dport 110 -I PREROUTING -d X.X.X.105 -j DNAT --to Y.Y.Y.22:110

iptables -I FORWARD -d X.X.X.105 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d X.X.X.105 -p tcp --dport 21 -j ACCEPT
iptables -I FORWARD -d X.X.X.105 -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d X.X.X.105 -p tcp --dport 110 -j ACCEPT

iptables -t nat -I POSTROUTING -s Y.Y.Y.19 -j SNAT --to X.X.X.105
iptables -t nat -I POSTROUTING -s Y.Y.Y.20 -j SNAT --to X.X.X.105
iptables -t nat -I POSTROUTING -s Y.Y.Y.21 -j SNAT --to X.X.X.105
iptables -t nat -I POSTROUTING -s Y.Y.Y.22 -j SNAT --to X.X.X.105

the above are scripts that would have to be run every time the computer boots

this splits multiple incoming ports from the same IP address to each virtual machine
either way can be done but either way as i mentioned, NAT is the responsibility of the HOST (the os running on the REAL machine) to act as the traffic cop so to speak that directs the traffic to the proper VIRTUAL machines

this is assuming you are using a LINUX based os for your host OS, if you are using windows as your host os, good luck

(yes im sure someone will pick the above scripts apart and find something wrong, but you get the general idea i hope)

ThelenShar · 12-28-2010, 02:23 AM

*sigh*

I shouldn't have mentioned NAT, everyone seems to be getting caught up in that >_<

We don't need/want any NAT for 3 of the public IPs, they can just be routed normally to the VM without fiddling.

The problem is, the VM host needs an IP address, meaning that somehow the last VM will need to be NAT'd or something, such that it can 'be' the host IP.

I am assuming I can just change the ports for the host server (ssh, ftp, VM control port etc) to something else (say in 60k range), but outside of that we don't want to have to manually NAT everything from guest 4. ie, 1-59999 will be NAT'd automatically.

I think there isn't a very simple or clean solution, it might just require purchasing more IPs (which sadly costs over $100USD a month >_<)

frieza · 12-28-2010, 11:29 AM

if that's the case then you probably just need to create a bridged interface between the real network card and the virtual network card, that way the virtual nics are directly exposed to the lan but what i was describing was more along the lines of port forwarding, which leaves any other port not assigned to the vms open to the host, and nat isn't a manual process per-se other then configuring the script and setting it to run on boot, after that it's automated

ThelenShar · 12-28-2010, 11:31 PM

Yea I would want the VM to have all the ports though, bar maybe a couple on the host.

Looks like I just need to buy another IP >_<