[Users] problems with SNAT/MASQUERADE
Galia Lisovskaya
inbox at shaggy-cat.ru
Sun Dec 20 14:35:19 EST 2009
I was solved my problem: it's not changed default gateway of HN. I
install HN with local repo with PXE, and, don't see this bad interface
config :)
Thanks for all answers :)
2009/12/20 Galia Lisovskaya <inbox at shaggy-cat.ru>:
>> ill post you my rules tommorow when i have a look at it. so u can get your containers to view sites on the same server ?
>
>> I also have to forward different ports to get ssh access to the containers, how can i ip filter before it gets forwarded is it possible, it doesnt seem to work. maybe i have to run a vpn for the ssh connections instead ?
>
> On my old openvz server (i posted it config) all work: MASQAREADE to
> external (Internet) network to containers(it may use yum/apt to
> install software with external repos, may use wget, send e-mails like
> as MTA, etc), MASQUAREDE to some other hosts (i use this HN as gateway
> and Wireless access point), work DNAT to ssh and another services for
> all containers(for example external 25 -> VE 25 for MTA), proxy HTTP
> connections from VE with dnated 80 port to another VE(and, sites with
> VEs in external network opening fine), but, i want make production
> mass reproduced server (with kikstart deployment and pupet management)
> .
>
> This server deployment, and work, but, I don't remember, how i
> solved, in the past (on working server), troubles of SNAT :(
>
> You may read iptables dump, may be, it's solved your problem, becouse
> in my old HardwareNode (it's dump of this node) all work
>
> May be, new node doe'sn work, becouse it has internal IP, and, howto
> with openvz wiki write for external IP?
>
>
>> On 21/12/2009, at 1:14 AM, Galia Lisovskaya wrote:
>>
>>> On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx
>>> to reverse proxies http connections for container, and DNAT other
>>> ports. May be, you solved you problem, when read my iptables dump.
>>> XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE.
>>> As you see, i have rules for permit connections to this ve. It's work,
>>> by i don't may reproduce it :(
>>>
>>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>>> *raw
>>> :PREROUTING ACCEPT [15756606:11159312833]
>>> :OUTPUT ACCEPT [83187:9939944]
>>> COMMIT
>>> # Completed on Sun Dec 20 16:18:42 2009
>>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>>> *nat
>>> :PREROUTING ACCEPT [460807:49066604]
>>> :POSTROUTING ACCEPT [2287:134871]
>>> :OUTPUT ACCEPT [1050:65159]
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j
>>> DNAT --to-destination 10.0.10.3:4662
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j
>>> DNAT --to-destination 10.0.10.3:4666
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j
>>> DNAT --to-destination 10.0.10.3:6419
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j
>>> DNAT --to-destination 10.0.10.3:6419
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j
>>> DNAT --to-destination 10.0.10.3:6882
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j
>>> DNAT --to-destination 10.0.10.3:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT
>>> --to-destination 10.0.10.33:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j
>>> DNAT --to-destination 10.0.10.5:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j
>>> DNAT --to-destination 10.0.7.4:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j
>>> DNAT --to-destination 10.0.7.4:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
>>> DNAT --to-destination 10.0.7.8:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j
>>> DNAT --to-destination 10.0.7.8:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j
>>> DNAT --to-destination 10.0.7.8:21
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j
>>> DNAT --to-destination 10.0.7.6:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j
>>> DNAT --to-destination 10.0.7.6:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j
>>> DNAT --to-destination 10.0.7.9:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>>> DNAT --to-destination 10.0.7.9:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j
>>> DNAT --to-destination 10.0.7.11:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j
>>> DNAT --to-destination 10.0.7.11:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT
>>> --to-destination 10.0.9.25:110
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT
>>> --to-destination 10.0.9.25:143
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT
>>> --to-destination 10.0.9.25:25
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
>>> DNAT --to-destination 10.0.7.2:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>>> DNAT --to-destination 10.0.7.2:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j
>>> DNAT --to-destination 10.0.7.9:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT
>>> --to-destination 10.0.9.29:53
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j
>>> DNAT --to-destination 10.0.9.22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j
>>> DNAT --to-destination 10.0.7.2:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j
>>> DNAT --to-destination 10.0.7.2:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j
>>> DNAT --to-destination 10.0.7.5:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j
>>> DNAT --to-destination 10.0.7.5:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j
>>> DNAT --to-destination 10.0.7.8:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j
>>> DNAT --to-destination 10.0.5.21:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j
>>> DNAT --to-destination 10.0.5.22:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j
>>> DNAT --to-destination 10.0.5.21:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j
>>> DNAT --to-destination 10.0.5.22:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j
>>> DNAT --to-destination 10.0.7.3:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j
>>> DNAT --to-destination 10.0.7.3:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j
>>> DNAT --to-destination 10.0.7.7:80
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j
>>> DNAT --to-destination 10.0.7.7:22
>>> -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j
>>> DNAT --to-destination 10.0.5.14:22
>>> -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
>>> -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT
>>> -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT
>>> -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports
>>> 25 -j DROP
>>> -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports
>>> 25 -j DROP
>>> -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports
>>> 25 -j DROP
>>> -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports
>>> 25 -j DROP
>>> COMMIT
>>> # Completed on Sun Dec 20 16:18:42 2009
>>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>>> *mangle
>>> :PREROUTING ACCEPT [15756617:11159313405]
>>> :INPUT ACCEPT [145636:35302709]
>>> :FORWARD ACCEPT [15611902:11124135311]
>>> :OUTPUT ACCEPT [83199:9941544]
>>> :POSTROUTING ACCEPT [15695095:11134076551]
>>> -A PREROUTING -i br0 -j MARK --set-mark 0x9
>>> -A PREROUTING -i wlan0 -j MARK --set-mark 0x9
>>> -A PREROUTING -i venet0 -j MARK --set-mark 0x9
>>> COMMIT
>>> # Completed on Sun Dec 20 16:18:42 2009
>>> # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [83202:9942132]
>>> :RH-Firewall-1-INPUT - [0:0]
>>> -A INPUT -j RH-Firewall-1-INPUT
>>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT
>>> -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT
>>> -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport
>>> --dports 25 -j ACCEPT
>>> -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT
>>> -A FORWARD -d 255.255.255.255 -j ACCEPT
>>> -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25
>>> -j DROP
>>> -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25
>>> -j DROP
>>> -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25
>>> -j DROP
>>> -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25
>>> -j DROP
>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A FORWARD -p tcp -m tcp --dport 25 -j DROP
>>> -A FORWARD -o eth0 -j ACCEPT
>>> -A FORWARD -j RH-Firewall-1-INPUT
>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>> -A RH-Firewall-1-INPUT -i br0 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j
>>> ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522
>>> -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>> COMMIT
>>> # Completed on Sun Dec 20 16:18:42 2009
>>>
>>>
>>> 2009/12/20 Dan Rossi <electroteque at gmail.com>:
>>>> Hey I am also having NAT issues. For instance I'm routing port 80 to squid which reverse proxies to instances. However when I tried to get instances to view sites on the same server, its not going directly out and back in if you know what I mean by it gets directed through squid but squid isnt setup for proxying a connection for the containers ! What do I do here I get failed connections. The containers are able to access to external sites though.
>>>
>>>
>>>
>>> --
>>> Galina Lisovskaya
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://openvz.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://openvz.org/mailman/listinfo/users
>>
>
>
>
> --
> Galina Lisovskaya
>
--
Galina Lisovskaya
More information about the Users
mailing list