[one-users] iptables commands to run for externally access the applications run in the VM in a virtual LAN which is set up in a dedicated root server

Valentin Bud valentin.bud at gmail.com
Thu May 23 22:48:38 PDT 2013 

Hi Qiubo,

For directing traffic for a specific application (port) to a virtual
machine I use the following:

root at host # cat /etc/network/iptables

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT

# Direct HTTP(S) traffic to 192.168.120.100
-A PREROUTING -s 0.0.0.0/0 -d 172.20.85.28/32 -p tcp --dport 80 -j DNAT
--to-destination 192.168.120.100
-A PREROUTING -s 0.0.0.0/0 -d 172.20.85.28/32 -p tcp --dport 443 -j DNAT
--to-destination 192.168.120.100

COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:PUBLIC -

# INPUT CHAIN
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -j PUBLIC

# FORWARD CHAIN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j PUBLIC

# OUTPUT CHAIN
-A OUTPUT -d 224.0.0.0/4 -o eth0 -j DROP

# PUBLIC CHAIN
-A PUBLIC -s 0.0.0.0/0 -d 192.168.120.100/32 -p tcp -m state --state NEW -m
tcp --dport 80 -j ACCEPT
-A PUBLIC -s 0.0.0.0/0 -d 192.168.120.100/32 -p tcp -m state --state NEW -m
tcp --dport 443 -j ACCEPT

COMMIT

The above permits all RELATED/ESTABLISHED traffic to pass through the
firewall on both INPUT and FORWARD chains. It also permits traffic to pass
freely on the lo (loopback) interface.

All traffic coming in on eth0 is directed to the PUBLIC CHAIN.

On the PUBLIC CHAIN I allow traffic to destination ports 80 and 443 to the
inside (LAN) IP address.

To start the iptables on boot I have the following in
`/etc/network/interfaces`:

# Loopback device:
auto lo
iface lo inet loopback

        ### Start and configure iptables and ip6tables at startup
        up iptables-restore < /etc/network/iptables
        up ip6tables-restore < /etc/network/ip6tables

WARNING: The above is only an example and should not be blindly copied and
expected to work. In fact it will not work, it will block your access to
the machine (host) in question and allow only HTTP(S) traffic to the
specified VM.

Cheers and Goodwill,

On Fri, May 24, 2013 at 4:19 AM, Qiubo Su (David Su) <qiubosu at gmail.com>wrote:

> Dear OpenNebula Community,
>
> I want to install/configure a virtual LAN (192.168.120.0/24) in one
> dedicated root server in data center.
>
> eth0 is the physical interface of this root server. virbr0 is the default
> virtual LAN switch provided by libvirtd (virbr0-nic is the correspondent
> virtual interface of virbr0). the virtual network switch is in NAT mode. a
> VM in this virtual LAN, and some applications runs in this VM. for
> externally accessing the applications (e.g. web server) run in the VM, need
> to use iptables command similar as below:
>
> "
>
> LAN="virbr0"
> WAN="eth0"
> LAN_IP="192.168.120.1"
> WAN_IP="172.20.85.28"
> VM_IP="192.168.120.100"
>
> iptables -t nat -A PREROUTING -p tcp -d $WAN_IP --dport 80 -j DNAT
> --to-destination $VM_IP
>
> iptables -t nat -A POSTROUTING -p tcp -d $LAN_IP --dport 80 -j SNAT
> --to-source $VM_IP
>
> iptables -t nat -A OUTPUT -p tcp -d $WAN_IP --dport 80 -j DNAT
> --to-destination $VM_IP
>
> iptables -i FORWARD -p tcp -m tcp --in-interface $WAN --out-interface $LAN
> -d $VM_IP --dport 80 --j ACCEPT
>
> "
>
> however after running the .sh script with the above iptables command, get
> below error
>
> "
>
> iptables v1.4.12: multiple -i flags not allowed
>
> Try `iptables -h' or 'iptables --help' for more information.
>
> "
>
> run the .sh script after commenting out the command "iptables -i FORWARD
> -p tcp -m tcp --in-interface $WAN --out-interface $LAN -d $VM_IP --dport 80
> --j ACCEPT", there is no error in the output. but only can locally access
> the VM web server with the registered domain name (i.e. can locally access
> the website hosted in the VM web server, within the virtual LAN scope), but
> can't externally access the website hosted in this VM web server.
>
> there may be some problem with this iptables .sh script. it is much
> appreciated if anyone can assist with this.
>
> thanks,
> Q.S.
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
w: http://databus.ro/blog
in: http://www.linkedin.com/pub/valentin-bud/9/881/830
t: https://twitter.com/valentinbud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130524/380d0911/attachment-0002.htm>

More information about the Users mailing list