Re: iptables, virtualbox and port forwarding
Hello,
berenger.morel@neutralite.org a écrit :
>
> I am trying to build a virtual network exposing servers accessible from
> the LAN.
[...]
> So I ask for 2 things:
> _ help on this particular problem
> _ if someone knows about resources to learn and understand how exactly
> iptables work, this would help me a lot in the future
- Oskar Andreasson's iptables tutorial.
- netfilter and iptables articles in Wikipedia.
> For my particular problem.
>
> I have an eth0 interface, the real one, on ip 172.20.14.0/24.
> I made a vlan in my /etc/network/interfaces, like this:
> ##############################
> auto eth0.1
> iface eth0.1 inet static
> address 10.10.10.1
> netmask 255.255.255.0
> vlan-raw-device eth0
> ##############################
What is the purpose of this VLAN ?
> In fact, I used the package vlan and some configuration inside
> /etc/network/interface of the host to have the host having a virtual
> second ethernet connexion, on which the VMs are connected.
> In the facts, there are 2 LANs, with the host computer being the
> router.
A VLAN interface is not a virtual ethernet interface for communicating
with VMs. It is a sub-interface which transmits and receives ethernet
frames with a given IEEE 802.1Q tag. Usually the VM managers such as
virtualbox create their own virtual interface(s) on the host to
communicate with the VMs.
> On that network, I have some VMs with static IPs, and the one on which
> I try to make the configuration for testing and learning purpose have an
> apache2 server running and up ( I can query on it from my physical
> computer ). It is using 2 network interfaces, a NAT one and a bridge
> one, but for others I would like to remove the NAT one, since I need
> them to simulate the production servers ( which are VMs too, but my
> company does not control the system on which they are running. Otherwise
> it would have be far easier: I would have read how it does to understand
> things ) which only have one interface ( eth0 ).
>
> Both LANs ( the physical one and the virtual one ) works perfectly, but
> now I would like to allow 2 things:
> _ VMs to access the physical LAN, so that they could access the apt
> proxy I have installed there for installing softwares and updates
- Enable IP forwarding on the host acting as a router.
# sysctl -w net.ipv4.ip_forward=1
- Presumably, you need to masquerade forwarded packets from VMs to the
physical LAN if the physical hosts or their router doesn't have a route
to your virtual LAN.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> _ physical computers accessing VMs through some ports of my computer.
> For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will
> do that port forwarding for ssh ( port 22 ), http ( port 80 ) and
> postgresql ( port 5432 ) connections in a first time.
- You need port forwarding only if the physical hosts or their router
doesn't have a route to your virtual LAN.
# iptables -t nat -A PREROUTING -i eth0 -d 172.20.14.XX \
-p tcp --dport 80 -j DNAT --to 10.10.10.30
(and so on for each port)
> And to add to the fun, I remember having discovered after several hours
> last week that the port forwarding rules I built did not allowed the
> host computer to access the VM, at least, not when asking on host'IP (
> aka 172.20.14.XX ).
- For this you need to do the port forwarding on locally generated packets.
# iptables -t nat -A OUTPUT -d 172.20.14.XX -p tcp --dport 80 \
-j DNAT --to 10.10.10.30
Reply to: