nat issue

To: debian-user@lists.debian.org
Subject: nat issue
From: Oleg <lego12239@yandex.ru>
Date: Thu, 3 Feb 2011 16:26:29 +0300
Message-id: <[🔎] 20110203132629.GA9723@debian>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: Oleg <lego12239@yandex.ru>
  Hi.

  I have a strange behaviour of iptables nat. I use several kvm instances on
my host machine in the next configuration:


INET  <-- (eth0)[host](tap0) <-- [kvm1] <-- [kvm2]

another view:

             INET
              ^
              |
       192.168.0.178/24
            [host]
       192.168.100.2/24
              ^
              |
       192.168.100.1/24
            [kvm1]
       192.168.200.1/24
              ^
              |
       192.168.200.2/24
            [kvm2]


  host has next configuration:

host:~# iptables -V
iptables v1.4.10
host:~# uname -r
2.6.36.3-kvm64
host:~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l

host:~# cat /proc/sys/net/ipv4/ip_forward 
1

host:~# iptables-save 
# Generated by iptables-save v1.4.10 on Thu Feb  3 15:53:45 2011
*nat
:PREROUTING ACCEPT [158:19117]
:INPUT ACCEPT [142:17947]
:OUTPUT ACCEPT [1273:77619]
:POSTROUTING ACCEPT [23:1515]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Feb  3 15:53:45 2011
# Generated by iptables-save v1.4.10 on Thu Feb  3 15:53:45 2011
*filter
:INPUT ACCEPT [41870:22423799]
:FORWARD ACCEPT [1111:78128]
:OUTPUT ACCEPT [40741:4677024]
COMMIT
# Completed on Thu Feb  3 15:53:45 2011

host:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1c:23:9f:8f:7a brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.178/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::21c:23ff:fe9f:8f7a/64 scope link 
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:1c:26:ac:50:fd brd ff:ff:ff:ff:ff:ff
4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 86:15:91:d2:a7:dd brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.2/24 scope global tap0
    inet6 fe80::8415:91ff:fed2:a7dd/64 scope link 
       valid_lft forever preferred_lft forever
5: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 8e:ab:8b:d0:3e:bd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8cab:8bff:fed0:3ebd/64 scope link 
       valid_lft forever preferred_lft forever
10: tap4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5823:72ff:fed4:412f/64 scope link 
       valid_lft forever preferred_lft forever
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
    link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5823:72ff:fed4:412f/64 scope link 
       valid_lft forever preferred_lft forever

host:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.5a2372d4412f       no              tap2
                                                        tap4

  kvm1 link with host through tap0 and with kvm2 through tap2(br0). kvm2 link
with kvm1 through tap4(br0).

  kvm1 configuration:

kvm1:~# cat /proc/sys/net/ipv4/ip_forward 
1

kvm1:~# iptables-save 
iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or directory

kvm1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0
    inet6 fe80::5054:ff:fe12:3456/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 54:52:00:12:34:57 brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.1/24 brd 192.168.200.255 scope global eth1
    inet6 fe80::5652:ff:fe12:3457/64 scope link 
       valid_lft forever preferred_lft forever

kvm1:~# ip rou
192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.1 
192.168.200.0/24 dev eth1  proto kernel  scope link  src 192.168.200.1 
default via 192.168.100.2 dev eth0 


   kvm2 configuration:

kvm2:~# iptables-save 
iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or directory

kvm2:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 54:52:00:12:34:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.200.2/24 brd 192.168.200.255 scope global eth0
    inet6 fe80::5652:ff:fe12:3460/64 scope link 
       valid_lft forever preferred_lft forever

kvm2:~# ip rou
192.168.200.0/24 dev eth0  proto kernel  scope link  src 192.168.200.2 
default via 192.168.200.1 dev eth0 


  When I ping from kvm1 everything is ok:

host:~# grep 192.168.100.1 /proc/net/ip_conntrack
icmp     1 19 src=192.168.100.1 dst=8.8.8.8 type=8 code=0 id=20486 src=8.8.8.8 dst=192.168.0.178 type=0 code=0 id=20486 mark=0 secmark=0 use=2

  But when I ping from kvm2 packets is not nated:

host:~# grep 192.168.200.2 /proc/net/ip_conntrack
icmp     1 22 src=192.168.200.2 dst=8.8.8.8 type=8 code=0 id=62469 [UNREPLIED] src=8.8.8.8 dst=192.168.200.2 type=0 code=0 id=62469 mark=0 secmark=0 use=2

  I use accounting rules and see that packets from 192.168.200.2 doesn't reach
nat POSTROUTING chain:

~# iptables-save  -c
# Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
*mangle
:PREROUTING ACCEPT [32:2252]
:INPUT ACCEPT [2:152]
:FORWARD ACCEPT [20:1400]
:OUTPUT ACCEPT [1:45]
:POSTROUTING ACCEPT [21:1445]
[10:840] -A FORWARD -s 192.168.200.2/32 
COMMIT
# Completed on Thu Feb  3 16:24:09 2011
# Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
*nat
:PREROUTING ACCEPT [2:196]
:INPUT ACCEPT [1:112]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:84]
[0:0] -A POSTROUTING -s 192.168.200.2/32 -o eth0 -j MASQUERADE 
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Thu Feb  3 16:24:09 2011
# Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [20:1400]
:OUTPUT ACCEPT [0:0]
[10:840] -A FORWARD -s 192.168.200.2/32 
COMMIT
# Completed on Thu Feb  3 16:24:09 2011


  I tried 2.6.32.28 with same result :-(.
  Any ideas?

  Thanks.
Reply to:
Follow-Ups:
- Re: nat issue
  - From: Oleg <lego12239@yandex.ru>
- Re: nat issue
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Prev by Date: Re: Evolution - copy link location
Next by Date: Re: DHCP weirdness? broken?
Previous by thread: Re: Re: Hidden Wireless WPA2-PERSONAL AES-CCMP trouble
Next by thread: Re: nat issue
Index(es):
- Date
- Thread