[one-users] Using White-port correctly

Sean Abbott seabbott at akamai.com
Mon May 14 08:19:25 PDT 2012 

This works!

Ok, so I didn't need to add the route, because that was already there,
presumably placed there by libvirt because in order for their default
route to work it needs to be there.

This setup is only minorly different than a number of different things I
tried while playing with this last week, and although I know this may
not be the correct forum, I would *REALLY* like to understand why this
worked and what I did last week did not.  (Unfortunately, I did not keep
as good of record as I should have on what I did do)

I've been doing iptables by using iptables-apply (and the one time I
didn't I was trying to add some rules to log traffic and managed to add
a tcp DROP that caused my machine to become totally unreachable.

So, I've been iptables-save > somefile.iptables; cp somefile.iptables
newfile.iptables, modding newfile.iptables, and then doing an
# iptables-apply -t 60 newfile.iptables.

Last week, I tried a number of variations.  There were never any rules
in the nat table, so last week I would add lines like:

*nat
:PREROUTING ACCEPT [2449896:2486671730]
-A PREROUTING -p tcp -d <external IP> --dport 4545 -j DNAT --to
192.168.122.10:4545

then for the filter tables, in the FORWARD chain, before any other
FORWARD rueles, I was adding things like:
:FORWARD ACCEPT [5957629:2882482096]
-A FORWARD - tcp -d 192.168.122.10/32 -o virbr0 -d 192.168.122.10
--dport 4545 -m state --state NEW -j ACCEPT

(and, understand, RELATED and established I thought would be covered by
this existing rule, placed automatically by libvirt:)
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT

And there are numerious other varitions I've tried.

Now, this time, per your recommendation, I DID use -I instead of -A in
both rules.  And, for the FORWARD rule, I used the whole network rather
than the specific IP address.

Can you or someone else please try and explain WHY your rules worked,
and, using the examples that I've provided, why my old attempts did not?

Again, I know this is quite possibly the wrong forum for these questions
and if so, I apologize and I'll try and write something to an iptables
forum.  I just really need to be able to understand what's happening so
I can be more able to accomplish this on my own/faster next time.

Thanks so much for your help!  It's great to get this working!

(I actually removed my ability to connect to my onemaster with my early
ill-placed DROP command, so I won't be able to work on getting the hooks
or custom network drivers until I get that back, and I'm relying on some
rather busy remote lab minions to recover that machine, so it may be a
day or two.)

Thanks again!

sean

On 05/14/2012 07:21 AM, Jaime Melis wrote:
> Hello Sean,
> 
> ok, I think we understand what you mean.
> 
> There are two things here: (1) Getting the host to forward the port with 
> iptables (2) doing it automatically with OpenNebula using customized network 
> drivers:
> 
> Let's start by achieving this manually and we can move on later on to doing it 
> automatically with OpenNebula:
> 
> To do this you need to do the following in the host that's running the gateway VM:
> 
> * add an iptables rule to forward to the desired vm:
> iptables -t nat -I PREROUTING -p tcp --dport <PORT> -j DNAT --to-destination 
> <guest_vm_ip>:<PORT>
> 
> * allow forwarding:
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -I FORWARD -m state -d <libvirt_nat_network>/24 --state 
> NEW,RELATED,ESTABLISHED -j ACCEPT
> 
> * add a static route:
> route add -net <libvirt_nat_network> netmask 255.255.255.0 dev <BRIDGE>
> 
> Can you try this and let us know if it works?
> 
> Cheers,
> Jaime
> 
> On Fri, May 11, 2012 at 7:08 PM, Sean Abbott <seabbott at akamai.com 
> <mailto:seabbott at akamai.com>> wrote:
> 
>     The hosts connect to each other through a backend network.  They're all
>     on the same switch, and they use a bridge to that backend network to
>     provide inter-vm connectivity.
> 
>     So, in the templates below, fullbackend is connected to a bridge that
>     goes to a private network.  natnet0 is connected to virbr0, which does
>     IP masquerading out to the world via libvirt's default nat with
>     libvirt's default iptables rules.  As I said, all that's working fine.
>     So regardless of whether opennebula truly SUPPORTS it, it does work.  :-)
> 
>     All I need to go is get one port to forward to one vm and my setup will
>     work wonderfully.
> 
>     On 05/11/2012 11:01 AM, Jaime Melis wrote:
>      > Dear Sean,
>      >
>      > OpenNebula does not support Libvirt's NAT-network(192.168.122.0/24
>     <http://192.168.122.0/24>).
>      > You have to create a network environment as described here:
>      > http://opennebula.org/documentation:rel3.4:plan#networking
>      >
>      > How are your hosts connected to each other?
>      >
>      > Regards,
>      > Jaime
>      >
>      > On Fri, May 11, 2012 at 4:40 PM, Sean Abbott <seabbott at akamai.com
>     <mailto:seabbott at akamai.com>> wrote:
>      >> Hello,
>      >>
>      >> I have a setup intended for selenium grid.  I'll have a bunch of
>      >> machines using the default NAT for internet access and a management
>      >> network for communication between each other.  The template for these
>      >> VMs is:
>      >>
>      >> NIC=[
>      >>  MODEL=virtio,
>      >>  NETWORK="natnet0",
>      >>  NETWORK_UNAME=oneadmin ]
>      >> NIC=[
>      >>  MODEL=virtio,
>      >>  NETWORK="fullbackend",
>      >>  NETWORK_UNAME=oneadmin ]
>      >>
>      >>
>      >> That's all working.  I need one VM to be able to communicate with the
>      >> outside world on a single port (4444).  I've set up template as follows:
>      >>
>      >> NIC=[
>      >>  MODEL=virtio,
>      >>  NETWORK="natnet0",
>      >>  NETWORK_UNAME=oneadmin,
>      >>  IP=192.168.122.100,
>      >>  WHITE_PORTS_TCP=4444 ]
>      >> NIC=[
>      >>  MODEL=virtio,
>      >>  NETWORK="fullbackend",
>      >>  NETWORK_UNAME=oneadmin ]
>      >>
>      >> The resulting VM can still use the internet and it can still communicate
>      >> with the other VMs.  I can communicate with it on port 4444 from the
>      >> host that it's on, but not from outside.
>      >>
>      >> Is this what WHITE_PORTS_TCP is intended for?  Am I doing something wrong?
>      >>
>      >> Thanks!
>      >>
>      >> sean
>      >> _______________________________________________
>      >> Users mailing list
>      >> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>      >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>      >
>      >
> 
> 
> 
> 
> -- 
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org <http://www.OpenNebula.org> | jmelis at opennebula.org 
> <mailto:jmelis at opennebula.org>

More information about the Users mailing list