iptables question

[mindraven]

I'm a bit stuck on this so hopefully someone can nudge me in the right direction.

I have a debian linux server running a couple of VMs. I have a /28 routed to my linux server. Using iptables and NAT, I have each VM with it's own IP on that /28 and I can ping the public IP just fine externally.

The problem is this. When I try to ping the public IP of one of the VMs from the linux server, it fails. Instead of being translated by NAT it just tries to access the public IP so it will go out the default route of the linux server and then the router redirects it back to the linux server and it never reaches it's destination.

I realize I can just add a hosts entry that translates the hostname of the VM to it's IP on the internal network, but I'd really like to do it all with iptables if possible since I'm just trying to learn as much as possible.

The relevant portion of my iptables script so far that is on the linux server (VM HOST). Example 1.2.3.4 as the public IP of a VM. So, I can ping 1.2.3.4 from another server, but I can't ping 1.2.3.4 from the linux server (VM Host) itself.

Code:

#!/bin/sh

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush old rules
iptables --flush
iptables --delete-chain
iptables -t nat --flush


# Allow loopback
iptables -t nat -A PREROUTING -j ACCEPT -i lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A POSTROUTING -j ACCEPT -o lo

# mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
iptables -A PREROUTING -t nat -d 1.2.3.4 -j DNAT --to 10.1.1.2
iptables -A POSTROUTING -t nat -s 10.1.1.2 -j SNAT --to 1.2.3.4

[Lazydog]

Where is this firewall located? How many interfaces on this box with the firewall? Because you didn't post your complete rules it could be something else causing your problems in another rule. If you have more then one interface then you should really clean this up.

Maybe a diagram of your network layout would help also.

Here is a TUTORIAL for IPTABLES

[mindraven]

I'll try and get a diagram made up shortly. It's fairly basic. One NIC on the linux server. Two interfaces, eth0 for the external and vmnet8 for the internal.

That's it for my iptables rules right now. I've taken everything else out so I'm not blocking anything. Figure once I get the basics down then I'll work on restrictions.

[Lazydog]

OK lets start by getting rid of rules you don't need and correcting the ones you do.


Remove the line below. You don't need it and there is no routing of lo.

Code:

iptables -t nat -A POSTROUTING -j ACCEPT -o

Now we need to change the following from

Code:

# mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
iptables -A PREROUTING -t nat -d 1.2.3.4 -j DNAT --to 10.1.1.2
iptables -A POSTROUTING -t nat -s 10.1.1.2 -j SNAT --to 1.2.3.4

To this

Code:

# mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
iptables -t nat -A PREROUTING  -i eth0 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.2
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

[mindraven]

Thanks. Ok, with those changes in place. For the results below:

1.1.1.1 = My Linux Server (VM HOST where iptables is running)
2.2.2.2 = The router
1.2.3.4 = Mail Server VM (Public IP)

From 1.1.1.1, trying to ping 1.2.3.4:

PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data.
From 2.2.2.2: icmp_seq=2 Redirect Host(New nexthop: 1.1.1.1)
From 2.2.2.2: icmp_seq=3 Redirect Host(New nexthop: 1.1.1.1)

[Lazydog]

OK, how about real ip addresses. I have no idea what is happening as 1.1.1.1 and 2.2.2.2 don't tell me a thing.

Is 1.1.1.1 private address space?
Is 2.2.2.2 private address space?

If they are then please post what range you are using.
And don't forget that diagram.