Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using iptables for internal nattined Virtual machine

Status
Not open for further replies.

maccarone

Technical User
Jun 20, 2002
17
IT
Hi all,
I need to use my RedHat Linux server to host one vmware virtual machine. I tried several configuration but I'm not able to use it correctly.
This is the configuration:
Linux box with 2 interfaces:
eth0 (151.98.244.143) for the external network
vmnet8 (192.168.190.1) for the internal network, towards a virtual machine

Internal virtual machine with one interface: eth5 (192.168.190.127)

I would reach, from the external network (151.0.0.0) the final webserver on the virtual machine, listening on 8443 port.
So we use from the browser and we have to re direct it to internal 192.168.190.127:8443 port.

For testing purpose I've deleted all rules and I followed these rules:
Allow all incoming packet on eth0 to be forwared to vmnet8 if destination port is 8443:
iptables -A FORWARD -i eth0 -o vmnet8 -p tcp --dport 8443 -j ACCEPT

Redirect all incoming packet to 151.98.244.143 port 8443 to 192.168.190.127 port 8443, using PRERUOTING and nat iptables feature:
iptables -A PREROUTING -t nat -p tcp -d 151.98.244.143 --dport 8443 -j DNAT --to 192.168.190.127:8443

Accepr all forwarded natted packets:
iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

Masquerade the ip from and to both ethernet interfaces:
iptables -t nat -A POSTROUTING -j MASQUERADE -o vmnet8
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0


after these command this is the situation:

iptables -t filter -nvL --line-numbers
Chain INPUT (policy ACCEPT 223 packets, 21473 bytes)
num pkts bytes target prot opt in out source destination
1 422 31232 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 1 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 5 529 ACCEPT tcp -- eth0 vmnet8 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
2 5 215 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
3 0 0 ACCEPT tcp -- vmnet8 eth0 0.0.0.0/0 0.0.0.0/0[/highlight]

Chain OUTPUT (policy ACCEPT 252 packets, 30516 bytes)
num pkts bytes target prot opt in out source destination


iptables -t nat -nvL --line-numbers
Chain PREROUTING (policy ACCEPT 18 packets, 4181 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 1 48 DNAT tcp -- * * 0.0.0.0/0 151.98.244.143 tcp dpt:8443 to:192.168.190.127:8443[/highlight]

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
[highlight #FCE94F]1 2 148 MASQUERADE all -- * vmnet8 0.0.0.0/0 0.0.0.0/0
2 0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
[/highlight]
Chain OUTPUT (policy ACCEPT 1 packets, 100 bytes)
num pkts bytes target prot opt in out source destination



When we try to reach the internal webserver, we have the connection in TIME_WAIT:


this is on the Linux box side:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 22 [highlight #FCE94F]TIME_WAIT[/highlight] src=151.98.193.38 dst=151.98.244.143 sport=2744 dport=8443 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2744 [ASSURED] mark=0 secmark=0 use=2


this is on the internal virtual machine:
cat /proc/net/nf_conntrack |grep 8443
ipv4 2 tcp 6 102 TIME_WAIT src=192.168.190.1 dst=192.168.190.127 sport=2525 dport=8443 packets=5 bytes=529 src=192.168.190.127 dst=192.168.190.1 sport=8443 dport=2525 packets=5 bytes=215 [ASSURED] mark=0 secmark=0 use=1

netstat -an|grep 8443
tcp 0 0 ::ffff:192.168.190.127:8443 :::* LISTEN
tcp 0 0 ::ffff:192.168.190.127:8443 ::ffff:192.168.190.1:2599 TIME_WAIT


What is wrong?

Thanks

Massimo
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top