Hi all,
I need to use my RedHat Linux server to host one vmware virtual machine. I tried several configuration but I'm not able to use it correctly.
This is the configuration:
Linux box with 2 interfaces:
eth0 (151.98.244.143) for the external network
vmnet8 (192.168.190.1) for the internal network, towards a virtual machine
Internal virtual machine with one interface: eth5 (192.168.190.127)
I would reach, from the external network (151.0.0.0) the final webserver on the virtual machine, listening on 8443 port.
So we use from the browser and we have to re direct it to internal 192.168.190.127:8443 port.
For testing purpose I've deleted all rules and I followed these rules:
Allow all incoming packet on eth0 to be forwared to vmnet8 if destination port is 8443:
iptables -A FORWARD -i eth0 -o vmnet8 -p tcp --dport 8443 -j ACCEPT
Redirect all incoming packet to 151.98.244.143 port 8443 to 192.168.190.127 port 8443, using PRERUOTING and nat iptables feature:
iptables -A PREROUTING -t nat -p tcp -d 151.98.244.143 --dport 8443 -j DNAT --to 192.168.190.127:8443
Accepr all forwarded natted packets:
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
Masquerade the ip from and to both ethernet interfaces:
iptables -t nat -A POSTROUTING -j MASQUERADE -o vmnet8
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
after these command this is the situation:
iptables -t filter -nvL --line-numbers
Chain INPUT (policy ACCEPT 223 packets, 21473 bytes)
num pkts bytes target prot opt in out source destination
1 422 31232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 5 529 ACCEPT tcp -- eth0 vmnet8 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
2 5 215 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
3 0 0 ACCEPT tcp -- vmnet8 eth0 0.0.0.0/0 0.0.0.0/0[/highlight]
Chain OUTPUT (policy ACCEPT 252 packets, 30516 bytes)
num pkts bytes target prot opt in out source destination
iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 18 packets, 4181 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 1 48 DNAT tcp -- * * 0.0.0.0/0 151.98.244.143 tcp dpt:8443 to:192.168.190.127:8443[/highlight]
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 2 148 MASQUERADE all -- * vmnet8 0.0.0.0/0 0.0.0.0/0
2 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
[/highlight]
Chain OUTPUT (policy ACCEPT 1 packets, 100 bytes)
num pkts bytes target prot opt in out source destination
When we try to reach the internal webserver, we have the connection in TIME_WAIT:
this is on the Linux box side:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 22 [highlight #FCE94F]TIME_WAIT[/highlight] src=151.98.193.38 dst=151.98.244.143 sport=2744 dport=8443 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2744 [ASSURED] mark=0 secmark=0 use=2
this is on the internal virtual machine:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 102 TIME_WAIT src=192.168.190.1 dst=192.168.190.127 sport=2525 dport=8443 packets=5 bytes=529 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2525 packets=5 bytes=215 [ASSURED] mark=0 secmark=0 use=1
netstat -an|grep 8443
tcp 0 0 ::ffff:192.168.190.127:8443 :::* LISTEN
tcp 0 0 ::ffff:192.168.190.127:8443 ::ffff:192.168.190.1:2599 TIME_WAIT
What is wrong?
Thanks
Massimo
I need to use my RedHat Linux server to host one vmware virtual machine. I tried several configuration but I'm not able to use it correctly.
This is the configuration:
Linux box with 2 interfaces:
eth0 (151.98.244.143) for the external network
vmnet8 (192.168.190.1) for the internal network, towards a virtual machine
Internal virtual machine with one interface: eth5 (192.168.190.127)
I would reach, from the external network (151.0.0.0) the final webserver on the virtual machine, listening on 8443 port.
So we use from the browser and we have to re direct it to internal 192.168.190.127:8443 port.
For testing purpose I've deleted all rules and I followed these rules:
Allow all incoming packet on eth0 to be forwared to vmnet8 if destination port is 8443:
iptables -A FORWARD -i eth0 -o vmnet8 -p tcp --dport 8443 -j ACCEPT
Redirect all incoming packet to 151.98.244.143 port 8443 to 192.168.190.127 port 8443, using PRERUOTING and nat iptables feature:
iptables -A PREROUTING -t nat -p tcp -d 151.98.244.143 --dport 8443 -j DNAT --to 192.168.190.127:8443
Accepr all forwarded natted packets:
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
Masquerade the ip from and to both ethernet interfaces:
iptables -t nat -A POSTROUTING -j MASQUERADE -o vmnet8
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0
after these command this is the situation:
iptables -t filter -nvL --line-numbers
Chain INPUT (policy ACCEPT 223 packets, 21473 bytes)
num pkts bytes target prot opt in out source destination
1 422 31232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 5 529 ACCEPT tcp -- eth0 vmnet8 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
2 5 215 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
3 0 0 ACCEPT tcp -- vmnet8 eth0 0.0.0.0/0 0.0.0.0/0[/highlight]
Chain OUTPUT (policy ACCEPT 252 packets, 30516 bytes)
num pkts bytes target prot opt in out source destination
iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 18 packets, 4181 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 1 48 DNAT tcp -- * * 0.0.0.0/0 151.98.244.143 tcp dpt:8443 to:192.168.190.127:8443[/highlight]
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 2 148 MASQUERADE all -- * vmnet8 0.0.0.0/0 0.0.0.0/0
2 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
[/highlight]
Chain OUTPUT (policy ACCEPT 1 packets, 100 bytes)
num pkts bytes target prot opt in out source destination
When we try to reach the internal webserver, we have the connection in TIME_WAIT:
this is on the Linux box side:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 22 [highlight #FCE94F]TIME_WAIT[/highlight] src=151.98.193.38 dst=151.98.244.143 sport=2744 dport=8443 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2744 [ASSURED] mark=0 secmark=0 use=2
this is on the internal virtual machine:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 102 TIME_WAIT src=192.168.190.1 dst=192.168.190.127 sport=2525 dport=8443 packets=5 bytes=529 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2525 packets=5 bytes=215 [ASSURED] mark=0 secmark=0 use=1
netstat -an|grep 8443
tcp 0 0 ::ffff:192.168.190.127:8443 :::* LISTEN
tcp 0 0 ::ffff:192.168.190.127:8443 ::ffff:192.168.190.1:2599 TIME_WAIT
What is wrong?
Thanks
Massimo