[Users] problems with SNAT/MASQUERADE

Galia Lisovskaya inbox at shaggy-cat.ru
Sun Dec 20 10:04:07 EST 2009


> ill post you my rules tommorow when i have a look at it. so u can get your containers to view sites on the same server ?

> I also have to forward different ports to get ssh access to the containers, how can i ip filter before it gets forwarded is it possible, it doesnt seem to work. maybe i have to run a vpn for the ssh connections instead ?

On my old openvz server (i posted it config) all work: MASQAREADE to
external (Internet) network to containers(it may use yum/apt to
install software with external repos, may use wget, send e-mails like
as MTA, etc), MASQUAREDE to some other hosts (i use this HN as gateway
and Wireless access point), work DNAT to ssh and another services for
all containers(for example external 25 -> VE 25 for MTA), proxy HTTP
connections from VE with dnated 80 port to another VE(and, sites with
VEs in external network opening fine), but, i want make production
mass reproduced server (with kikstart deployment and pupet management)
.

This server deployment, and work, but, I don't remember,  how i
solved, in the past (on working server), troubles of SNAT :(

You may read iptables dump, may be, it's solved your problem, becouse
in my old HardwareNode (it's dump of this node) all work

May be, new node doe'sn work, becouse it has internal IP, and, howto
with openvz wiki write for external IP?


> On 21/12/2009, at 1:14 AM, Galia Lisovskaya wrote:
>
>> On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx
>> to reverse proxies http connections for container, and DNAT other
>> ports. May be, you solved you problem, when read my iptables dump.
>> XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE.
>> As you see, i have rules for permit connections to this ve. It's work,
>> by i don't may reproduce it :(
>>
>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>> *raw
>> :PREROUTING ACCEPT [15756606:11159312833]
>> :OUTPUT ACCEPT [83187:9939944]
>> COMMIT
>> # Completed on Sun Dec 20 16:18:42 2009
>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>> *nat
>> :PREROUTING ACCEPT [460807:49066604]
>> :POSTROUTING ACCEPT [2287:134871]
>> :OUTPUT ACCEPT [1050:65159]
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j
>> DNAT --to-destination 10.0.10.3:4662
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j
>> DNAT --to-destination 10.0.10.3:4666
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j
>> DNAT --to-destination 10.0.10.3:6419
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j
>> DNAT --to-destination 10.0.10.3:6419
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j
>> DNAT --to-destination 10.0.10.3:6882
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j
>> DNAT --to-destination 10.0.10.3:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT
>> --to-destination 10.0.10.33:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j
>> DNAT --to-destination 10.0.10.5:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j
>> DNAT --to-destination 10.0.7.4:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j
>> DNAT --to-destination 10.0.7.4:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
>> DNAT --to-destination 10.0.7.8:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j
>> DNAT --to-destination 10.0.7.8:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j
>> DNAT --to-destination 10.0.7.8:21
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j
>> DNAT --to-destination 10.0.7.6:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j
>> DNAT --to-destination 10.0.7.6:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j
>> DNAT --to-destination 10.0.7.9:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>> DNAT --to-destination 10.0.7.9:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j
>> DNAT --to-destination 10.0.7.11:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j
>> DNAT --to-destination 10.0.7.11:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT
>> --to-destination 10.0.9.25:110
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT
>> --to-destination 10.0.9.25:143
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT
>> --to-destination 10.0.9.25:25
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
>> DNAT --to-destination 10.0.7.2:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>> DNAT --to-destination 10.0.7.2:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>> DNAT --to-destination 10.0.7.9:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT
>> --to-destination 10.0.9.29:53
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j
>> DNAT --to-destination 10.0.9.22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
>> DNAT --to-destination 10.0.7.2:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j
>> DNAT --to-destination 10.0.7.2:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j
>> DNAT --to-destination 10.0.7.5:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j
>> DNAT --to-destination 10.0.7.5:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
>> DNAT --to-destination 10.0.7.8:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j
>> DNAT --to-destination 10.0.5.21:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j
>> DNAT --to-destination 10.0.5.22:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j
>> DNAT --to-destination 10.0.5.21:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j
>> DNAT --to-destination 10.0.5.22:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j
>> DNAT --to-destination 10.0.7.3:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j
>> DNAT --to-destination 10.0.7.3:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j
>> DNAT --to-destination 10.0.7.7:80
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j
>> DNAT --to-destination 10.0.7.7:22
>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j
>> DNAT --to-destination 10.0.5.14:22
>> -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
>> -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT
>> -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT
>> -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports
>> 25 -j DROP
>> -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports
>> 25 -j DROP
>> -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports
>> 25 -j DROP
>> -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports
>> 25 -j DROP
>> COMMIT
>> # Completed on Sun Dec 20 16:18:42 2009
>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>> *mangle
>> :PREROUTING ACCEPT [15756617:11159313405]
>> :INPUT ACCEPT [145636:35302709]
>> :FORWARD ACCEPT [15611902:11124135311]
>> :OUTPUT ACCEPT [83199:9941544]
>> :POSTROUTING ACCEPT [15695095:11134076551]
>> -A PREROUTING -i br0 -j MARK --set-mark 0x9
>> -A PREROUTING -i wlan0 -j MARK --set-mark 0x9
>> -A PREROUTING -i venet0 -j MARK --set-mark 0x9
>> COMMIT
>> # Completed on Sun Dec 20 16:18:42 2009
>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [83202:9942132]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
>> -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT
>> -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT
>> -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport
>> --dports 25 -j ACCEPT
>> -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT
>> -A FORWARD -d 255.255.255.255 -j ACCEPT
>> -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25
>> -j DROP
>> -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25
>> -j DROP
>> -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25
>> -j DROP
>> -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25
>> -j DROP
>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
>> -A FORWARD -p tcp -m tcp --dport 25 -j DROP
>> -A FORWARD -o eth0 -j ACCEPT
>> -A FORWARD -j RH-Firewall-1-INPUT
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
>> -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT
>> -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522
>> -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>> COMMIT
>> # Completed on Sun Dec 20 16:18:42 2009
>>
>>
>> 2009/12/20 Dan Rossi <electroteque at gmail.com>:
>>> Hey I am also having NAT issues. For instance I'm routing port 80 to squid which reverse proxies to instances. However when I tried to get instances to view sites on the same server, its not going directly out and back in if you know what I mean by it gets directed through squid but squid isnt setup for proxying a connection for the containers ! What do I do here I get failed connections. The containers are able to access to external sites though.
>>
>>
>>
>> --
>> Galina Lisovskaya
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://openvz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://openvz.org/mailman/listinfo/users
>



-- 
Galina Lisovskaya



More information about the Users mailing list