thinking n00b
Joined: 22 May 2005 Posts: 46
|
Posted: Fri May 18, 2007 7:09 pm Post subject: vserver: SNAT not working? |
|
|
hiho@ll
i try to configure my firewall to connect to a vserver which hosts apache on port 80
a DSL Router provides the internet connection
the server hosting the vserver has on eth0 the ip 192.168.0.3
my vserver has a dummy0 interface with ip 192.168.1.1 and apache running on port 80
first i created the following firewall.sh which should setup the iptables for my needs
Quote: |
IPTABLES=/sbin/iptables
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t nat -A PREROUTING --destination 192.168.0.3 -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80
$IPTABLES -A INPUT -d 192.168.1.1 -p tcp -j LOG --log-level info --log-prefix "IPTABLES input"
$IPTABLES -A OUTPUT -s 192.168.1.1 -p tcp -j LOG --log-level info --log-prefix "IPTABLES output"
|
this works if i point my browser from another host within my LAN to http://192.168.0.3/
but if i try to connect from the internet i get this log entries 3 times (cause firefox seems to try 3 connects)
Quote: |
May 18 22:25:57 hostname IPTABLES inputIN=eth0 OUT= MAC=SOMEMAC SRC=MYWANIP DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19587 DF PROTO=TCP SPT=1614 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 18 22:25:57 hostname IPTABLES outputIN= OUT=eth0 SRC=192.168.1.1 DST=MYWANIP LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=1614 WINDOW=5840 RES=0x00 ACK SYN URGP=0
|
using tcpdump on eth0 i get:
Quote: |
22:28:32.735189 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:32.739377 arp who-has MYWANIP tell 192.168.0.3
22:28:33.739437 arp who-has MYWANIP tell 192.168.0.3
22:28:34.739488 arp who-has MYWANIP tell 192.168.0.3
22:28:35.719114 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:41.738067 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:41.739956 arp who-has MYWANIP tell 192.168.0.3
22:28:42.740001 arp who-has MYWANIP tell 192.168.0.3
22:28:43.740062 arp who-has MYWANIP tell 192.168.0.3
|
using tcpdump on lo i get:
Quote: |
22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56
22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56
22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56
|
i think i just have to few networking experience to solve this by my own, altough i'm pretty sure this is a simple problem
so the question's are:
what's the problem?
any ideas how to solve?
edit:
i added masquerading to my firewall.sh
Quote: |
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
|
i also tried a connect from the vserver to google.com:80 and i got this
Quote: |
httpd htdocs # telnet google.com 80
Trying 64.233.167.99...
Trying 64.233.187.99...
Trying 72.14.207.99...
telnet: Unable to connect to remote host: No route to host
httpd htdocs # ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
From 192.168.0.3 icmp_seq=1 Destination Host Unreachable
From 192.168.0.3 icmp_seq=2 Destination Host Unreachable
From 192.168.0.3 icmp_seq=3 Destination Host Unreachable
--- google.com ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4132ms
, pipe 3
|
as far as i understand i have to add a "route" on my host (not the vserver)
Quote: |
myhost / # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 dummy0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
|
thx@ll |
|