[Users] problems with SNAT/MASQUERADE

Galia Lisovskaya inbox at shaggy-cat.ru
Sun Dec 20 09:14:50 EST 2009 

On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx
to reverse proxies http connections for container, and DNAT other
ports. May be, you solved you problem, when read my iptables dump.
XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE.
As you see, i have rules for permit connections to this ve. It's work,
by i don't may reproduce it :(

# Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
*raw
:PREROUTING ACCEPT [15756606:11159312833]
:OUTPUT ACCEPT [83187:9939944]
COMMIT
# Completed on Sun Dec 20 16:18:42 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
*nat
:PREROUTING ACCEPT [460807:49066604]
:POSTROUTING ACCEPT [2287:134871]
:OUTPUT ACCEPT [1050:65159]
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j
DNAT --to-destination 10.0.10.3:4662
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j
DNAT --to-destination 10.0.10.3:4666
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j
DNAT --to-destination 10.0.10.3:6419
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j
DNAT --to-destination 10.0.10.3:6419
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j
DNAT --to-destination 10.0.10.3:6882
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j
DNAT --to-destination 10.0.10.3:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.10.33:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j
DNAT --to-destination 10.0.10.5:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j
DNAT --to-destination 10.0.7.4:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j
DNAT --to-destination 10.0.7.4:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
DNAT --to-destination 10.0.7.8:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j
DNAT --to-destination 10.0.7.8:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j
DNAT --to-destination 10.0.7.8:21
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j
DNAT --to-destination 10.0.7.6:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j
DNAT --to-destination 10.0.7.6:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j
DNAT --to-destination 10.0.7.9:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.9:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j
DNAT --to-destination 10.0.7.11:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j
DNAT --to-destination 10.0.7.11:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT
--to-destination 10.0.9.25:110
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT
--to-destination 10.0.9.25:143
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT
--to-destination 10.0.9.25:25
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
DNAT --to-destination 10.0.7.2:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.2:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
DNAT --to-destination 10.0.7.9:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT
--to-destination 10.0.9.29:53
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j
DNAT --to-destination 10.0.9.22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
DNAT --to-destination 10.0.7.2:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j
DNAT --to-destination 10.0.7.2:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j
DNAT --to-destination 10.0.7.5:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j
DNAT --to-destination 10.0.7.5:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
DNAT --to-destination 10.0.7.8:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j
DNAT --to-destination 10.0.5.21:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j
DNAT --to-destination 10.0.5.22:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j
DNAT --to-destination 10.0.5.21:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j
DNAT --to-destination 10.0.5.22:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j
DNAT --to-destination 10.0.7.3:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j
DNAT --to-destination 10.0.7.3:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j
DNAT --to-destination 10.0.7.7:80
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j
DNAT --to-destination 10.0.7.7:22
-A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j
DNAT --to-destination 10.0.5.14:22
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
-A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT
-A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
-A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports
25 -j DROP
COMMIT
# Completed on Sun Dec 20 16:18:42 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
*mangle
:PREROUTING ACCEPT [15756617:11159313405]
:INPUT ACCEPT [145636:35302709]
:FORWARD ACCEPT [15611902:11124135311]
:OUTPUT ACCEPT [83199:9941544]
:POSTROUTING ACCEPT [15695095:11134076551]
-A PREROUTING -i br0 -j MARK --set-mark 0x9
-A PREROUTING -i wlan0 -j MARK --set-mark 0x9
-A PREROUTING -i venet0 -j MARK --set-mark 0x9
COMMIT
# Completed on Sun Dec 20 16:18:42 2009
# Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83202:9942132]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT
-A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT
-A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport
--dports 25 -j ACCEPT
-A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT
-A FORWARD -d 255.255.255.255 -j ACCEPT
-A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25
-j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
-A RH-Firewall-1-INPUT -i ath0 -j ACCEPT
-A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
-j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Dec 20 16:18:42 2009


2009/12/20 Dan Rossi <electroteque at gmail.com>:
> Hey I am also having NAT issues. For instance I'm routing port 80 to squid which reverse proxies to instances. However when I tried to get instances to view sites on the same server, its not going directly out and back in if you know what I mean by it gets directed through squid but squid isnt setup for proxying a connection for the containers ! What do I do here I get failed connections. The containers are able to access to external sites though.



-- 
Galina Lisovskaya

More information about the Users mailing list