[one-users] Using White-port correctly
Jaime Melis
jmelis at opennebula.org
Wed May 23 02:25:13 PDT 2012
Hello Sean,
well, as you say it would be better to ask this to some iptables guru.
I'm assuming that the rule that isn't working is the PREROUTING rule, since
the forward rule can be double checked by changing the default policy to
ACCEPT.
If it's the PREROUTING rule I think the problem might be the '-d'
parameter. Were you specifying it correctly?
Also, did you have the static route in your host to reach the NAT network?
cheers,
Jaime
On Mon, May 14, 2012 at 5:19 PM, Sean Abbott <seabbott at akamai.com> wrote:
> This works!
>
> Ok, so I didn't need to add the route, because that was already there,
> presumably placed there by libvirt because in order for their default
> route to work it needs to be there.
>
> This setup is only minorly different than a number of different things I
> tried while playing with this last week, and although I know this may
> not be the correct forum, I would *REALLY* like to understand why this
> worked and what I did last week did not. (Unfortunately, I did not keep
> as good of record as I should have on what I did do)
>
> I've been doing iptables by using iptables-apply (and the one time I
> didn't I was trying to add some rules to log traffic and managed to add
> a tcp DROP that caused my machine to become totally unreachable.
>
> So, I've been iptables-save > somefile.iptables; cp somefile.iptables
> newfile.iptables, modding newfile.iptables, and then doing an
> # iptables-apply -t 60 newfile.iptables.
>
> Last week, I tried a number of variations. There were never any rules
> in the nat table, so last week I would add lines like:
>
> *nat
> :PREROUTING ACCEPT [2449896:2486671730]
> -A PREROUTING -p tcp -d <external IP> --dport 4545 -j DNAT --to
> 192.168.122.10:4545
>
> then for the filter tables, in the FORWARD chain, before any other
> FORWARD rueles, I was adding things like:
> :FORWARD ACCEPT [5957629:2882482096]
> -A FORWARD - tcp -d 192.168.122.10/32 -o virbr0 -d 192.168.122.10
> --dport 4545 -m state --state NEW -j ACCEPT
>
> (and, understand, RELATED and established I thought would be covered by
> this existing rule, placed automatically by libvirt:)
> -A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
>
> And there are numerious other varitions I've tried.
>
> Now, this time, per your recommendation, I DID use -I instead of -A in
> both rules. And, for the FORWARD rule, I used the whole network rather
> than the specific IP address.
>
> Can you or someone else please try and explain WHY your rules worked,
> and, using the examples that I've provided, why my old attempts did not?
>
> Again, I know this is quite possibly the wrong forum for these questions
> and if so, I apologize and I'll try and write something to an iptables
> forum. I just really need to be able to understand what's happening so
> I can be more able to accomplish this on my own/faster next time.
>
> Thanks so much for your help! It's great to get this working!
>
> (I actually removed my ability to connect to my onemaster with my early
> ill-placed DROP command, so I won't be able to work on getting the hooks
> or custom network drivers until I get that back, and I'm relying on some
> rather busy remote lab minions to recover that machine, so it may be a
> day or two.)
>
> Thanks again!
>
> sean
>
> On 05/14/2012 07:21 AM, Jaime Melis wrote:
> > Hello Sean,
> >
> > ok, I think we understand what you mean.
> >
> > There are two things here: (1) Getting the host to forward the port with
> > iptables (2) doing it automatically with OpenNebula using customized
> network
> > drivers:
> >
> > Let's start by achieving this manually and we can move on later on to
> doing it
> > automatically with OpenNebula:
> >
> > To do this you need to do the following in the host that's running the
> gateway VM:
> >
> > * add an iptables rule to forward to the desired vm:
> > iptables -t nat -I PREROUTING -p tcp --dport <PORT> -j DNAT
> --to-destination
> > <guest_vm_ip>:<PORT>
> >
> > * allow forwarding:
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > iptables -I FORWARD -m state -d <libvirt_nat_network>/24 --state
> > NEW,RELATED,ESTABLISHED -j ACCEPT
> >
> > * add a static route:
> > route add -net <libvirt_nat_network> netmask 255.255.255.0 dev <BRIDGE>
> >
> > Can you try this and let us know if it works?
> >
> > Cheers,
> > Jaime
> >
> > On Fri, May 11, 2012 at 7:08 PM, Sean Abbott <seabbott at akamai.com
> > <mailto:seabbott at akamai.com>> wrote:
> >
> > The hosts connect to each other through a backend network. They're
> all
> > on the same switch, and they use a bridge to that backend network to
> > provide inter-vm connectivity.
> >
> > So, in the templates below, fullbackend is connected to a bridge that
> > goes to a private network. natnet0 is connected to virbr0, which
> does
> > IP masquerading out to the world via libvirt's default nat with
> > libvirt's default iptables rules. As I said, all that's working
> fine.
> > So regardless of whether opennebula truly SUPPORTS it, it does work.
> :-)
> >
> > All I need to go is get one port to forward to one vm and my setup
> will
> > work wonderfully.
> >
> > On 05/11/2012 11:01 AM, Jaime Melis wrote:
> > > Dear Sean,
> > >
> > > OpenNebula does not support Libvirt's NAT-network(
> 192.168.122.0/24
> > <http://192.168.122.0/24>).
> > > You have to create a network environment as described here:
> > > http://opennebula.org/documentation:rel3.4:plan#networking
> > >
> > > How are your hosts connected to each other?
> > >
> > > Regards,
> > > Jaime
> > >
> > > On Fri, May 11, 2012 at 4:40 PM, Sean Abbott <seabbott at akamai.com
> > <mailto:seabbott at akamai.com>> wrote:
> > >> Hello,
> > >>
> > >> I have a setup intended for selenium grid. I'll have a bunch of
> > >> machines using the default NAT for internet access and a
> management
> > >> network for communication between each other. The template for
> these
> > >> VMs is:
> > >>
> > >> NIC=[
> > >> MODEL=virtio,
> > >> NETWORK="natnet0",
> > >> NETWORK_UNAME=oneadmin ]
> > >> NIC=[
> > >> MODEL=virtio,
> > >> NETWORK="fullbackend",
> > >> NETWORK_UNAME=oneadmin ]
> > >>
> > >>
> > >> That's all working. I need one VM to be able to communicate
> with the
> > >> outside world on a single port (4444). I've set up template as
> follows:
> > >>
> > >> NIC=[
> > >> MODEL=virtio,
> > >> NETWORK="natnet0",
> > >> NETWORK_UNAME=oneadmin,
> > >> IP=192.168.122.100,
> > >> WHITE_PORTS_TCP=4444 ]
> > >> NIC=[
> > >> MODEL=virtio,
> > >> NETWORK="fullbackend",
> > >> NETWORK_UNAME=oneadmin ]
> > >>
> > >> The resulting VM can still use the internet and it can still
> communicate
> > >> with the other VMs. I can communicate with it on port 4444 from
> the
> > >> host that it's on, but not from outside.
> > >>
> > >> Is this what WHITE_PORTS_TCP is intended for? Am I doing
> something wrong?
> > >>
> > >> Thanks!
> > >>
> > >> sean
> > >> _______________________________________________
> > >> Users mailing list
> > >> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
> > >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> > >
> > >
> >
> >
> >
> >
> > --
> > Jaime Melis
> > Project Engineer
> > OpenNebula - The Open Source Toolkit for Cloud Computing
> > www.OpenNebula.org <http://www.OpenNebula.org> | jmelis at opennebula.org
> > <mailto:jmelis at opennebula.org>
>
>
--
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120523/c6a879ad/attachment-0003.htm>
More information about the Users
mailing list