Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
Hi guys, I'm newbie of linux networking and have been try and error for few days, without any progress.....any help would be much appreciated!!! Thanks guys!!! The background: A physical ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    7

    NAT rule not working again after server reboot


    Hi guys,

    I'm newbie of linux networking and have been try and error for few days, without any progress.....any help would be much appreciated!!! Thanks guys!!!

    The background:
    • A physical server running CentOS 6 with KVM installed, 2 vm is defined now, named as VM 2 and VM 3 and ip is 192.168.122.2 and 192.168.122.3 accordingly
    • Iptables running at host OS but NOT at guest OSs.
    • Host OS iptables has configure NAT as follow:
    • 2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:30022 to:192.168.122.3:22
    • 3 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20022 to:192.168.122.2:22
    • Thus this is expected to have host OS high port to be forward to VM's ssh port


    The situation:
    • Everything work fine after installation, and we have run for a month, however after a RAM upgrade at physical server - that means the server is shutdown and reboot, the NAT/port forward is not function anymore, given that:
    • Host OS iptables is started, while guest OS is keep as stop
    • Host OS can ssh/telnet VM's ssh port (22)
    • Result of command iptables -t nat -L -v -n:
    • pkts bytes target prot opt in out source destination
    • 6 304 LOG tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30022 LOG flags 0 level 4 prefix `ROUTE APP3'
    • 6 304 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30022 to:192.168.122.3:22
    • 3 152 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20022 to:192.168.122.2:22
    • Package is handled by the NAT rule while I try to telnet 30022 from my local PC (separate network)


    Any ideas..??

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Do you have to enable IP forwarding in the kernel? e.g.:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    If that is it, you can put it in /etc/sysctl.conf:

    Code:
    net.ipv4.ip_forward = 1
    More here.

  3. #3
    Just Joined!
    Join Date
    Nov 2011
    Posts
    7
    Thanks for your reply! But I'm afraid I have already enable the ip forward:

    # cat /proc/sys/net/ipv4/ip_forward
    # 1


    If there is something do with the reboot, I suspect there are some services unexpectedly start/stop...but then other then iptables/ip forward...I didn't think of any other possibility.

  4. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    buggah...i thought that was it for sure. Is the SSH daemon running on the two VM machines I assume?

    Have you tried using SSH to connect, using the -'v' flag?

  5. #5
    Just Joined!
    Join Date
    Nov 2011
    Posts
    7
    Yes, both VM SSH daemon is running, this is proved as i can connect them from HOST OS by ssh command.

    I didn't try before, this is the return when i execute command at another linux machine:
    Code:
    [root@ad-a19-29 ~]# ssh -v -p 30022 <public ip>
    OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to <public IP> [<public IP>] port 30022.
    debug1: connect to address <public IP> port 30022: Connection refused
    ssh: connect to host <public IP> port 30022: Connection refused
    p.s. sorry for masking those sensitive data, the <public IP> is 202.xxx.xxx.xxx, its my real ip :P

  6. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    So back to iptables...can you post your iptables config file? I know you said all was fine before, and the problem is due to a system reboot, but who knows, maybe a bit slipped in there somewhere when you weren't looking.

    Also, SELinux is not running on the main server, is it?

  7. #7
    Just Joined!
    Join Date
    Nov 2011
    Posts
    7
    Yes you are right, everything is possible Here is the iptables config:

    Code:
    [root@mhost network-scripts]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Tue Nov 22 13:22:33 2011
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [172:28850]
    -A INPUT -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 5907 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 30022 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -s 192.168.122.1/32 -p icmp -j LOG --log-prefix "FORWARD virbr0"
    -A FORWARD -d 192.168.122.1/32 -p icmp -j LOG --log-prefix "FORWARD virbr0"
    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
    -A FORWARD -s 192.168.122.0/24 -i br0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i virbr0 -j ACCEPT
    -A FORWARD -o virbr0 -j ACCEPT
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Tue Nov 22 13:22:33 2011
    # Generated by iptables-save v1.4.7 on Tue Nov 22 13:22:33 2011
    *mangle
    :PREROUTING ACCEPT [401:29557]
    :INPUT ACCEPT [208:20281]
    :FORWARD ACCEPT [7:384]
    :OUTPUT ACCEPT [172:28850]
    :POSTROUTING ACCEPT [172:28850]
    -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
    COMMIT
    # Completed on Tue Nov 22 13:22:33 2011
    # Generated by iptables-save v1.4.7 on Tue Nov 22 13:22:33 2011
    *nat
    :PREROUTING ACCEPT [7:332]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i br0 -p tcp -m tcp --dport 30022 -j LOG --log-prefix "ROUTE APP3"
    -A PREROUTING -i br0 -p tcp -m tcp --dport 30022 -j DNAT --to-destination 192.168.122.3:22
    -A PREROUTING -i br0 -p tcp -m tcp --dport 20022 -j DNAT --to-destination 192.168.122.2:22
    -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.122.3:80
    -A PREROUTING -i br0 -p tcp -m tcp --dport 34434 -j DNAT --to-destination 192.168.122.3:4434
    -A PREROUTING -i br0 -p tcp -m tcp --dport 34435 -j DNAT --to-destination 192.168.122.3:18080
    -A PREROUTING -i br0 -p tcp -m tcp --dport 23306 -j DNAT --to-destination 192.168.122.2:3306
    -A PREROUTING -i br0 -p tcp -m tcp --dport 37999 -j DNAT --to-destination 192.168.122.3:7999
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
    -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p icmp -j MASQUERADE
    COMMIT
    # Completed on Tue Nov 22 13:22:33 2011
    where the ifconfig is:

    Code:
    [root@mhost network-scripts]# ifconfig
    br0       Link encap:Ethernet  HWaddr D0:27:88:6D:70:E9
              inet addr:<public IP>  Bcast:<public IP:255>  Mask:255.255.255.0
              .........
    
    eth0      Link encap:Ethernet  HWaddr D0:27:88:6D:70:E9
              inet6 addr: fe80::d227:88ff:fe6d:70e9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:150606 errors:0 dropped:0 overruns:0 frame:0
              TX packets:18233 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:11176760 (10.6 MiB)  TX bytes:4131431 (3.9 MiB)
              Interrupt:27 Base address:0x6000
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:52 errors:0 dropped:0 overruns:0 frame:0
              TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:4898 (4.7 KiB)  TX bytes:4898 (4.7 KiB)
    
    virbr0    Link encap:Ethernet  HWaddr FE:54:00:46:6F:5F
              inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1097 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1574 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:279054 (272.5 KiB)  TX bytes:153651 (150.0 KiB)
    
    vnet0     Link encap:Ethernet  HWaddr FE:54:00:75:11:C0
              inet6 addr: fe80::fc54:ff:fe75:11c0/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:19 errors:0 dropped:0 overruns:0 frame:0
              TX packets:26009 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500
              RX bytes:1227 (1.1 KiB)  TX bytes:1350380 (1.2 MiB)
    
    vnet1     Link encap:Ethernet  HWaddr FE:54:00:46:6F:5F
              inet6 addr: fe80::fc54:ff:fe46:6f5f/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:825 errors:0 dropped:0 overruns:0 frame:0
              TX packets:27209 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:500
              RX bytes:257644 (251.6 KiB)  TX bytes:1460966 (1.3 MiB)
    And finally.........................I just realize this! I guess you have already point me to the right direction! the SELinux is on now! I suppose I have set it as disable before reboot:
    Code:
    SELINUX=enforcing
    SELINUXTYPE=targeted
    So suppose it should work when i disable and reboot...? Going to try now.

  8. #8
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    you get do quick test:

    Code:
    setenforce 0

  9. #9
    Just Joined!
    Join Date
    Nov 2011
    Posts
    7
    Um...bad news, either use setenforce 0, or edit /etc/sysconfig/selinux to update SELINUX=disabled, after reboot (again), same situation: Host OS can ssh to guest OS, but outside the network it return Connection refused.

  10. #10
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Okay, is it possible that there were iptables rules set up dynamically at some point while the main server was up, and these rules were never written to the system configuration file? That's the only other thing I can think of.

    I did not attempt to parse your iptables config file, btw, that is a biggie. Any iptables gurus out there?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •