[one-users] iptables commands to run for externally access the applications run in the VM in a virtual LAN which is set up in a dedicated root server

Qiubo Su (David Su) qiubosu at gmail.com
Sat May 25 15:01:33 PDT 2013 

dear valentin,

thank you very much for your help.

i made the iptables thing working already in my virtual network
environment, both the versions of mine and yours are both working.

by the way, good to know  you're doing so well.

cheers,
q.s.



On Fri, May 24, 2013 at 5:48 PM, Valentin Bud <valentin.bud at gmail.com>wrote:

> Hi Qiubo,
>
> For directing traffic for a specific application (port) to a virtual
> machine I use the following:
>
> root at host # cat /etc/network/iptables
>
> *nat
> :PREROUTING ACCEPT
> :POSTROUTING ACCEPT
> :OUTPUT ACCEPT
>
> # Direct HTTP(S) traffic to 192.168.120.100
> -A PREROUTING -s 0.0.0.0/0 -d 172.20.85.28/32 -p tcp --dport 80 -j DNAT
> --to-destination 192.168.120.100
> -A PREROUTING -s 0.0.0.0/0 -d 172.20.85.28/32 -p tcp --dport 443 -j DNAT
> --to-destination 192.168.120.100
>
> COMMIT
> *filter
> :INPUT DROP
> :FORWARD DROP
> :OUTPUT ACCEPT
> :PUBLIC -
>
> # INPUT CHAIN
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -j PUBLIC
>
> # FORWARD CHAIN
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i lo -j ACCEPT
> -A FORWARD -i eth0 -j PUBLIC
>
> # OUTPUT CHAIN
> -A OUTPUT -d 224.0.0.0/4 -o eth0 -j DROP
>
> # PUBLIC CHAIN
> -A PUBLIC -s 0.0.0.0/0 -d 192.168.120.100/32 -p tcp -m state --state NEW
> -m tcp --dport 80 -j ACCEPT
> -A PUBLIC -s 0.0.0.0/0 -d 192.168.120.100/32 -p tcp -m state --state NEW
> -m tcp --dport 443 -j ACCEPT
>
> COMMIT
>
> The above permits all RELATED/ESTABLISHED traffic to pass through the
> firewall on both INPUT and FORWARD chains. It also permits traffic to pass
> freely on the lo (loopback) interface.
>
> All traffic coming in on eth0 is directed to the PUBLIC CHAIN.
>
> On the PUBLIC CHAIN I allow traffic to destination ports 80 and 443 to the
> inside (LAN) IP address.
>
> To start the iptables on boot I have the following in
> `/etc/network/interfaces`:
>
> # Loopback device:
> auto lo
> iface lo inet loopback
>
>         ### Start and configure iptables and ip6tables at startup
>         up iptables-restore < /etc/network/iptables
>         up ip6tables-restore < /etc/network/ip6tables
>
> WARNING: The above is only an example and should not be blindly copied and
> expected to work. In fact it will not work, it will block your access to
> the machine (host) in question and allow only HTTP(S) traffic to the
> specified VM.
>
> Cheers and Goodwill,
>
> On Fri, May 24, 2013 at 4:19 AM, Qiubo Su (David Su) <qiubosu at gmail.com>wrote:
>
>> Dear OpenNebula Community,
>>
>> I want to install/configure a virtual LAN (192.168.120.0/24) in one
>> dedicated root server in data center.
>>
>> eth0 is the physical interface of this root server. virbr0 is the default
>> virtual LAN switch provided by libvirtd (virbr0-nic is the correspondent
>> virtual interface of virbr0). the virtual network switch is in NAT mode. a
>> VM in this virtual LAN, and some applications runs in this VM. for
>> externally accessing the applications (e.g. web server) run in the VM, need
>> to use iptables command similar as below:
>>
>> "
>>
>> LAN="virbr0"
>> WAN="eth0"
>> LAN_IP="192.168.120.1"
>> WAN_IP="172.20.85.28"
>> VM_IP="192.168.120.100"
>>
>> iptables -t nat -A PREROUTING -p tcp -d $WAN_IP --dport 80 -j DNAT
>> --to-destination $VM_IP
>>
>> iptables -t nat -A POSTROUTING -p tcp -d $LAN_IP --dport 80 -j SNAT
>> --to-source $VM_IP
>>
>> iptables -t nat -A OUTPUT -p tcp -d $WAN_IP --dport 80 -j DNAT
>> --to-destination $VM_IP
>>
>> iptables -i FORWARD -p tcp -m tcp --in-interface $WAN --out-interface
>> $LAN -d $VM_IP --dport 80 --j ACCEPT
>>
>> "
>>
>> however after running the .sh script with the above iptables command, get
>> below error
>>
>> "
>>
>> iptables v1.4.12: multiple -i flags not allowed
>>
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>> "
>>
>> run the .sh script after commenting out the command "iptables -i FORWARD
>> -p tcp -m tcp --in-interface $WAN --out-interface $LAN -d $VM_IP --dport 80
>> --j ACCEPT", there is no error in the output. but only can locally access
>> the VM web server with the registered domain name (i.e. can locally access
>> the website hosted in the VM web server, within the virtual LAN scope), but
>> can't externally access the website hosted in this VM web server.
>>
>> there may be some problem with this iptables .sh script. it is much
>> appreciated if anyone can assist with this.
>>
>> thanks,
>> Q.S.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
> --
> w: http://databus.ro/blog
> in: http://www.linkedin.com/pub/valentin-bud/9/881/830
> t: https://twitter.com/valentinbud
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130526/bbd928d8/attachment-0001.htm>

More information about the Users mailing list