Using iptables for internal nattined Virtual machine

maccarone · May 14, 2013

Hi all,
I need to use my RedHat Linux server to host one vmware virtual machine. I tried several configuration but I'm not able to use it correctly.
This is the configuration:
Linux box with 2 interfaces:
eth0 (151.98.244.143) for the external network
vmnet8 (192.168.190.1) for the internal network, towards a virtual machine

Internal virtual machine with one interface: eth5 (192.168.190.127)

I would reach, from the external network (151.0.0.0) the final webserver on the virtual machine, listening on 8443 port.
So we use http://151.98.244.143:8443
from the browser and we have to re direct it to internal 192.168.190.127:8443 port.

For testing purpose I've deleted all rules and I followed these rules:
Allow all incoming packet on eth0 to be forwared to vmnet8 if destination port is 8443:
iptables -A FORWARD -i eth0 -o vmnet8 -p tcp --dport 8443 -j ACCEPT

Redirect all incoming packet to 151.98.244.143 port 8443 to 192.168.190.127 port 8443, using PRERUOTING and nat iptables feature:
iptables -A PREROUTING -t nat -p tcp -d 151.98.244.143 --dport 8443 -j DNAT --to 192.168.190.127:8443

Accepr all forwarded natted packets:
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

Masquerade the ip from and to both ethernet interfaces:
iptables -t nat -A POSTROUTING -j MASQUERADE -o vmnet8
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0

after these command this is the situation:

iptables -t filter -nvL --line-numbers
Chain INPUT (policy ACCEPT 223 packets, 21473 bytes)
num pkts bytes target prot opt in out source destination
1 422 31232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 5 529 ACCEPT tcp -- eth0 vmnet8 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
2 5 215 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
3 0 0 ACCEPT tcp -- vmnet8 eth0 0.0.0.0/0 0.0.0.0/0[/highlight]

Chain OUTPUT (policy ACCEPT 252 packets, 30516 bytes)
num pkts bytes target prot opt in out source destination

iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 18 packets, 4181 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 1 48 DNAT tcp -- * * 0.0.0.0/0 151.98.244.143 tcp dpt:8443 to:192.168.190.127:8443[/highlight]

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 2 148 MASQUERADE all -- * vmnet8 0.0.0.0/0 0.0.0.0/0
2 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
[/highlight]
Chain OUTPUT (policy ACCEPT 1 packets, 100 bytes)
num pkts bytes target prot opt in out source destination

When we try to reach the internal webserver, we have the connection in TIME_WAIT:

this is on the Linux box side:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 22 [highlight #FCE94F]TIME_WAIT[/highlight] src=151.98.193.38 dst=151.98.244.143 sport=2744 dport=8443 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2744 [ASSURED] mark=0 secmark=0 use=2

this is on the internal virtual machine:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 102 TIME_WAIT src=192.168.190.1 dst=192.168.190.127 sport=2525 dport=8443 packets=5 bytes=529 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2525 packets=5 bytes=215 [ASSURED] mark=0 secmark=0 use=1

netstat -an|grep 8443
tcp 0 0 ::ffff:192.168.190.127:8443 :::* LISTEN
tcp 0 0 ::ffff:192.168.190.127:8443 ::ffff:192.168.190.1:2599 TIME_WAIT

What is wrong?

Thanks

Massimo

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Using iptables for internal nattined Virtual machine

maccarone

Technical User

Similar threads

Part and Inventory Search

Sponsor