Find the answer to your Linux question:
Results 1 to 6 of 6
I'm a bit stuck on this so hopefully someone can nudge me in the right direction. I have a debian linux server running a couple of VMs. I have a ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3

    iptables question


    I'm a bit stuck on this so hopefully someone can nudge me in the right direction.

    I have a debian linux server running a couple of VMs. I have a /28 routed to my linux server. Using iptables and NAT, I have each VM with it's own IP on that /28 and I can ping the public IP just fine externally.

    The problem is this. When I try to ping the public IP of one of the VMs from the linux server, it fails. Instead of being translated by NAT it just tries to access the public IP so it will go out the default route of the linux server and then the router redirects it back to the linux server and it never reaches it's destination.

    I realize I can just add a hosts entry that translates the hostname of the VM to it's IP on the internal network, but I'd really like to do it all with iptables if possible since I'm just trying to learn as much as possible.

    The relevant portion of my iptables script so far that is on the linux server (VM HOST). Example 1.2.3.4 as the public IP of a VM. So, I can ping 1.2.3.4 from another server, but I can't ping 1.2.3.4 from the linux server (VM Host) itself.

    Code:
    #!/bin/sh
    
    # Enable forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # Flush old rules
    iptables --flush
    iptables --delete-chain
    iptables -t nat --flush
    
    
    # Allow loopback
    iptables -t nat -A PREROUTING -j ACCEPT -i lo
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    iptables -t nat -A POSTROUTING -j ACCEPT -o lo
    
    # mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
    iptables -A PREROUTING -t nat -d 1.2.3.4 -j DNAT --to 10.1.1.2
    iptables -A POSTROUTING -t nat -s 10.1.1.2 -j SNAT --to 1.2.3.4

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Where is this firewall located? How many interfaces on this box with the firewall? Because you didn't post your complete rules it could be something else causing your problems in another rule. If you have more then one interface then you should really clean this up.

    Maybe a diagram of your network layout would help also.

    Here is a TUTORIAL for IPTABLES

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3
    I'll try and get a diagram made up shortly. It's fairly basic. One NIC on the linux server. Two interfaces, eth0 for the external and vmnet8 for the internal.

    That's it for my iptables rules right now. I've taken everything else out so I'm not blocking anything. Figure once I get the basics down then I'll work on restrictions.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK lets start by getting rid of rules you don't need and correcting the ones you do.


    Remove the line below. You don't need it and there is no routing of lo.

    Code:
    iptables -t nat -A POSTROUTING -j ACCEPT -o
    Now we need to change the following from

    Code:
    # mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
    iptables -A PREROUTING -t nat -d 1.2.3.4 -j DNAT --to 10.1.1.2
    iptables -A POSTROUTING -t nat -s 10.1.1.2 -j SNAT --to 1.2.3.4
    To this

    Code:
    # mail - public IP 1.2.3.4 -  internal IP 10.1.1.2
    iptables -t nat -A PREROUTING  -i eth0 -d 1.2.3.4 -j DNAT --to-destination 10.1.1.2
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Sep 2009
    Posts
    3
    Thanks. Ok, with those changes in place. For the results below:

    1.1.1.1 = My Linux Server (VM HOST where iptables is running)
    2.2.2.2 = The router
    1.2.3.4 = Mail Server VM (Public IP)

    From 1.1.1.1, trying to ping 1.2.3.4:

    PING 1.2.3.4 (1.2.3.4) 56(84) bytes of data.
    From 2.2.2.2: icmp_seq=2 Redirect Host(New nexthop: 1.1.1.1)
    From 2.2.2.2: icmp_seq=3 Redirect Host(New nexthop: 1.1.1.1)

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    OK, how about real ip addresses. I have no idea what is happening as 1.1.1.1 and 2.2.2.2 don't tell me a thing.

    Is 1.1.1.1 private address space?
    Is 2.2.2.2 private address space?

    If they are then please post what range you are using.
    And don't forget that diagram.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •