[Users] problems with SNAT/MASQUERADE
Dan Rossi
electroteque at gmail.com
Sun Dec 20 09:40:24 EST 2009
ill post you my rules tommorow when i have a look at it. so u can get your containers to view sites on the same server ?
I also have to forward different ports to get ssh access to the containers, how can i ip filter before it gets forwarded is it possible, it doesnt seem to work. maybe i have to run a vpn for the ssh connections instead ?
On 21/12/2009, at 1:14 AM, Galia Lisovskaya wrote:
> On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx
> to reverse proxies http connections for container, and DNAT other
> ports. May be, you solved you problem, when read my iptables dump.
> XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE.
> As you see, i have rules for permit connections to this ve. It's work,
> by i don't may reproduce it :(
>
> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
> *raw
> :PREROUTING ACCEPT [15756606:11159312833]
> :OUTPUT ACCEPT [83187:9939944]
> COMMIT
> # Completed on Sun Dec 20 16:18:42 2009
> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
> *nat
> :PREROUTING ACCEPT [460807:49066604]
> :POSTROUTING ACCEPT [2287:134871]
> :OUTPUT ACCEPT [1050:65159]
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j
> DNAT --to-destination 10.0.10.3:4662
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j
> DNAT --to-destination 10.0.10.3:4666
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j
> DNAT --to-destination 10.0.10.3:6419
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j
> DNAT --to-destination 10.0.10.3:6419
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j
> DNAT --to-destination 10.0.10.3:6882
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j
> DNAT --to-destination 10.0.10.3:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 10.0.10.33:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j
> DNAT --to-destination 10.0.10.5:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j
> DNAT --to-destination 10.0.7.4:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j
> DNAT --to-destination 10.0.7.4:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
> DNAT --to-destination 10.0.7.8:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j
> DNAT --to-destination 10.0.7.8:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j
> DNAT --to-destination 10.0.7.8:21
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j
> DNAT --to-destination 10.0.7.6:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j
> DNAT --to-destination 10.0.7.6:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j
> DNAT --to-destination 10.0.7.9:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
> DNAT --to-destination 10.0.7.9:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j
> DNAT --to-destination 10.0.7.11:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j
> DNAT --to-destination 10.0.7.11:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT
> --to-destination 10.0.9.25:110
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT
> --to-destination 10.0.9.25:143
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT
> --to-destination 10.0.9.25:25
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
> DNAT --to-destination 10.0.7.2:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
> DNAT --to-destination 10.0.7.2:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
> DNAT --to-destination 10.0.7.9:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT
> --to-destination 10.0.9.29:53
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j
> DNAT --to-destination 10.0.9.22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
> DNAT --to-destination 10.0.7.2:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j
> DNAT --to-destination 10.0.7.2:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j
> DNAT --to-destination 10.0.7.5:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j
> DNAT --to-destination 10.0.7.5:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
> DNAT --to-destination 10.0.7.8:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j
> DNAT --to-destination 10.0.5.21:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j
> DNAT --to-destination 10.0.5.22:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j
> DNAT --to-destination 10.0.5.21:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j
> DNAT --to-destination 10.0.5.22:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j
> DNAT --to-destination 10.0.7.3:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j
> DNAT --to-destination 10.0.7.3:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j
> DNAT --to-destination 10.0.7.7:80
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j
> DNAT --to-destination 10.0.7.7:22
> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j
> DNAT --to-destination 10.0.5.14:22
> -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
> -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT
> -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT
> -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports
> 25 -j DROP
> -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports
> 25 -j DROP
> -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports
> 25 -j DROP
> -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports
> 25 -j DROP
> COMMIT
> # Completed on Sun Dec 20 16:18:42 2009
> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
> *mangle
> :PREROUTING ACCEPT [15756617:11159313405]
> :INPUT ACCEPT [145636:35302709]
> :FORWARD ACCEPT [15611902:11124135311]
> :OUTPUT ACCEPT [83199:9941544]
> :POSTROUTING ACCEPT [15695095:11134076551]
> -A PREROUTING -i br0 -j MARK --set-mark 0x9
> -A PREROUTING -i wlan0 -j MARK --set-mark 0x9
> -A PREROUTING -i venet0 -j MARK --set-mark 0x9
> COMMIT
> # Completed on Sun Dec 20 16:18:42 2009
> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [83202:9942132]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
> -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT
> -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT
> -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport
> --dports 25 -j ACCEPT
> -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT
> -A FORWARD -d 255.255.255.255 -j ACCEPT
> -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25
> -j DROP
> -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25
> -j DROP
> -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25
> -j DROP
> -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25
> -j DROP
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
> -A FORWARD -p tcp -m tcp --dport 25 -j DROP
> -A FORWARD -o eth0 -j ACCEPT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
> -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT
> -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522
> -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Sun Dec 20 16:18:42 2009
>
>
> 2009/12/20 Dan Rossi <electroteque at gmail.com>:
>> Hey I am also having NAT issues. For instance I'm routing port 80 to squid which reverse proxies to instances. However when I tried to get instances to view sites on the same server, its not going directly out and back in if you know what I mean by it gets directed through squid but squid isnt setup for proxying a connection for the containers ! What do I do here I get failed connections. The containers are able to access to external sites though.
>
>
>
> --
> Galina Lisovskaya
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users
More information about the Users
mailing list