Re: nat issue

To: debian-user@lists.debian.org
Subject: Re: nat issue
From: Oleg <lego12239@yandex.ru>
Date: Fri, 4 Feb 2011 15:42:39 +0300
Message-id: <[🔎] 20110204124239.GA7660@debian>
Mail-followup-to: debian-user@lists.debian.org
Reply-to: Oleg <lego12239@yandex.ru>
In-reply-to: <[🔎] 20110203132629.GA9723@debian>
References: <[🔎] 20110203132629.GA9723@debian>
  Sorry. I forgot about routes on the host machine:

host:~# ip rou
192.168.100.0/24 dev tap0 proto kernel scope link src 192.168.100.2
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254
192.168.200.0/24 via 192.168.100.1 dev tap0
default via 192.168.0.1 dev eth0

On Thu, Feb 03, 2011 at 04:26:29PM +0300, Oleg wrote:
>   Hi.
> 
>   I have a strange behaviour of iptables nat. I use several kvm instances on
> my host machine in the next configuration:
> 
> 
> INET  <-- (eth0)[host](tap0) <-- [kvm1] <-- [kvm2]
> 
> another view:
> 
>              INET
>               ^
>               |
>        192.168.0.178/24
>             [host]
>        192.168.100.2/24
>               ^
>               |
>        192.168.100.1/24
>             [kvm1]
>        192.168.200.1/24
>               ^
>               |
>        192.168.200.2/24
>             [kvm2]
> 
> 
>   host has next configuration:
> 
> host:~# iptables -V
> iptables v1.4.10
> host:~# uname -r
> 2.6.36.3-kvm64
> host:~# cat /etc/issue
> Debian GNU/Linux 5.0 \n \l
> 
> host:~# cat /proc/sys/net/ipv4/ip_forward 
> 1
> 
> host:~# iptables-save 
> # Generated by iptables-save v1.4.10 on Thu Feb  3 15:53:45 2011
> *nat
> :PREROUTING ACCEPT [158:19117]
> :INPUT ACCEPT [142:17947]
> :OUTPUT ACCEPT [1273:77619]
> :POSTROUTING ACCEPT [23:1515]
> -A POSTROUTING -o eth0 -j MASQUERADE 
> COMMIT
> # Completed on Thu Feb  3 15:53:45 2011
> # Generated by iptables-save v1.4.10 on Thu Feb  3 15:53:45 2011
> *filter
> :INPUT ACCEPT [41870:22423799]
> :FORWARD ACCEPT [1111:78128]
> :OUTPUT ACCEPT [40741:4677024]
> COMMIT
> # Completed on Thu Feb  3 15:53:45 2011
> 
> host:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host 
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>     link/ether 00:1c:23:9f:8f:7a brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.178/24 brd 192.168.0.255 scope global eth0
>     inet6 fe80::21c:23ff:fe9f:8f7a/64 scope link 
>        valid_lft forever preferred_lft forever
> 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>     link/ether 00:1c:26:ac:50:fd brd ff:ff:ff:ff:ff:ff
> 4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
>     link/ether 86:15:91:d2:a7:dd brd ff:ff:ff:ff:ff:ff
>     inet 192.168.100.2/24 scope global tap0
>     inet6 fe80::8415:91ff:fed2:a7dd/64 scope link 
>        valid_lft forever preferred_lft forever
> 5: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
>     link/ether 8e:ab:8b:d0:3e:bd brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::8cab:8bff:fed0:3ebd/64 scope link 
>        valid_lft forever preferred_lft forever
> 10: tap4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
>     link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::5823:72ff:fed4:412f/64 scope link 
>        valid_lft forever preferred_lft forever
> 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN 
>     link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::5823:72ff:fed4:412f/64 scope link 
>        valid_lft forever preferred_lft forever
> 
> host:~# brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.5a2372d4412f       no              tap2
>                                                         tap4
> 
>   kvm1 link with host through tap0 and with kvm2 through tap2(br0). kvm2 link
> with kvm1 through tap4(br0).
> 
>   kvm1 configuration:
> 
> kvm1:~# cat /proc/sys/net/ipv4/ip_forward 
> 1
> 
> kvm1:~# iptables-save 
> iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or directory
> 
> kvm1:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host 
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>     link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0
>     inet6 fe80::5054:ff:fe12:3456/64 scope link 
>        valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>     link/ether 54:52:00:12:34:57 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.200.1/24 brd 192.168.200.255 scope global eth1
>     inet6 fe80::5652:ff:fe12:3457/64 scope link 
>        valid_lft forever preferred_lft forever
> 
> kvm1:~# ip rou
> 192.168.100.0/24 dev eth0  proto kernel  scope link  src 192.168.100.1 
> 192.168.200.0/24 dev eth1  proto kernel  scope link  src 192.168.200.1 
> default via 192.168.100.2 dev eth0 
> 
> 
>    kvm2 configuration:
> 
> kvm2:~# iptables-save 
> iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or directory
> 
> kvm2:~# ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>     inet6 ::1/128 scope host 
>        valid_lft forever preferred_lft forever
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
>     link/ether 54:52:00:12:34:60 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.200.2/24 brd 192.168.200.255 scope global eth0
>     inet6 fe80::5652:ff:fe12:3460/64 scope link 
>        valid_lft forever preferred_lft forever
> 
> kvm2:~# ip rou
> 192.168.200.0/24 dev eth0  proto kernel  scope link  src 192.168.200.2 
> default via 192.168.200.1 dev eth0 
> 
> 
>   When I ping from kvm1 everything is ok:
> 
> host:~# grep 192.168.100.1 /proc/net/ip_conntrack
> icmp     1 19 src=192.168.100.1 dst=8.8.8.8 type=8 code=0 id=20486 src=8.8.8.8 dst=192.168.0.178 type=0 code=0 id=20486 mark=0 secmark=0 use=2
> 
>   But when I ping from kvm2 packets is not nated:
> 
> host:~# grep 192.168.200.2 /proc/net/ip_conntrack
> icmp     1 22 src=192.168.200.2 dst=8.8.8.8 type=8 code=0 id=62469 [UNREPLIED] src=8.8.8.8 dst=192.168.200.2 type=0 code=0 id=62469 mark=0 secmark=0 use=2
> 
>   I use accounting rules and see that packets from 192.168.200.2 doesn't reach
> nat POSTROUTING chain:
> 
> ~# iptables-save  -c
> # Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
> *mangle
> :PREROUTING ACCEPT [32:2252]
> :INPUT ACCEPT [2:152]
> :FORWARD ACCEPT [20:1400]
> :OUTPUT ACCEPT [1:45]
> :POSTROUTING ACCEPT [21:1445]
> [10:840] -A FORWARD -s 192.168.200.2/32 
> COMMIT
> # Completed on Thu Feb  3 16:24:09 2011
> # Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
> *nat
> :PREROUTING ACCEPT [2:196]
> :INPUT ACCEPT [1:112]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [1:84]
> [0:0] -A POSTROUTING -s 192.168.200.2/32 -o eth0 -j MASQUERADE 
> [0:0] -A POSTROUTING -o eth0 -j MASQUERADE 
> COMMIT
> # Completed on Thu Feb  3 16:24:09 2011
> # Generated by iptables-save v1.4.10 on Thu Feb  3 16:24:09 2011
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [20:1400]
> :OUTPUT ACCEPT [0:0]
> [10:840] -A FORWARD -s 192.168.200.2/32 
> COMMIT
> # Completed on Thu Feb  3 16:24:09 2011
> 
> 
>   I tried 2.6.32.28 with same result :-(.
>   Any ideas?
> 
>   Thanks.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20110203132629.GA9723@debian">http://lists.debian.org/[🔎] 20110203132629.GA9723@debian
>
Reply to:
References:
- nat issue
  - From: Oleg <lego12239@yandex.ru>
Prev by Date: Re: Backup media - double-layer DVD
Next by Date: Re: tool for internet connection test
Previous by thread: nat issue
Next by thread: Re: nat issue
Index(es):
- Date
- Thread