<div dir="ltr">Hi Qiubo,<div><br></div><div>For directing traffic for a specific application (port) to a virtual machine I use the following:</div><div><br></div><div>root at host # cat /etc/network/iptables</div><div><br>
</div><div>*nat</div><div>:PREROUTING ACCEPT</div><div>:POSTROUTING ACCEPT</div><div>:OUTPUT ACCEPT</div><div><br></div><div># Direct HTTP(S) traffic to 192.168.120.100</div><div>-A PREROUTING -s <a href="http://0.0.0.0/0">0.0.0.0/0</a> -d <a href="http://172.20.85.28/32">172.20.85.28/32</a> -p tcp --dport 80 -j DNAT --to-destination 192.168.120.100</div>
<div>-A PREROUTING -s <a href="http://0.0.0.0/0">0.0.0.0/0</a> -d <a href="http://172.20.85.28/32">172.20.85.28/32</a> -p tcp --dport 443 -j DNAT --to-destination 192.168.120.100<br></div><div style><br></div><div style>
COMMIT</div>
<div style>*filter</div><div style><div>:INPUT DROP</div><div>:FORWARD DROP</div><div>:OUTPUT ACCEPT</div></div><div><div class="gmail_extra">:PUBLIC -</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">
# INPUT CHAIN</div><div class="gmail_extra">-A INPUT -i lo -j ACCEPT</div><div class="gmail_extra">-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</div><div class="gmail_extra">-A INPUT -i eth0 -j PUBLIC<br></div>
<div class="gmail_extra"><br></div><div class="gmail_extra" style># FORWARD CHAIN</div><div class="gmail_extra" style><div class="gmail_extra">-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT</div><div class="gmail_extra">
-A FORWARD -i lo -j ACCEPT</div><div class="gmail_extra">-A FORWARD -i eth0 -j PUBLIC</div><div class="gmail_extra"><br></div><div class="gmail_extra" style># OUTPUT CHAIN</div><div class="gmail_extra" style>-A OUTPUT -d <a href="http://224.0.0.0/4">224.0.0.0/4</a> -o eth0 -j DROP<br>
</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style># PUBLIC CHAIN<br></div><div class="gmail_extra" style><div class="gmail_extra">-A PUBLIC -s <a href="http://0.0.0.0/0">0.0.0.0/0</a> -d <a href="http://192.168.120.100/32">192.168.120.100/32</a> -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT</div>
<div class="gmail_extra">-A PUBLIC -s <a href="http://0.0.0.0/0">0.0.0.0/0</a> -d <a href="http://192.168.120.100/32">192.168.120.100/32</a> -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT</div><div class="gmail_extra">
<br></div><div class="gmail_extra" style>COMMIT</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>The above permits all RELATED/ESTABLISHED traffic to pass through the firewall on both INPUT and FORWARD chains. It also permits traffic to pass freely on the lo (loopback) interface.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>All traffic coming in on eth0 is directed to the PUBLIC CHAIN.</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>On the PUBLIC CHAIN I allow traffic to destination ports 80 and 443 to the inside (LAN) IP address. </div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>To start the iptables on boot I have the following in `/etc/network/interfaces`:</div><div class="gmail_extra" style><br></div><div class="gmail_extra" style>
<div class="gmail_extra"># Loopback device:</div><div class="gmail_extra">auto lo</div><div class="gmail_extra">iface lo inet loopback</div><div class="gmail_extra"><br></div><div class="gmail_extra"> ### Start and configure iptables and ip6tables at startup</div>
<div class="gmail_extra"> up iptables-restore < /etc/network/iptables</div><div class="gmail_extra"> up ip6tables-restore < /etc/network/ip6tables</div><div class="gmail_extra"><br></div><div class="gmail_extra" style>
WARNING: The above is only an example and should not be blindly copied and expected to work. In fact it will not work, it will block your access to the machine (host) in question and allow only HTTP(S) traffic to the specified VM.</div>
<div class="gmail_extra" style><br></div><div class="gmail_extra" style>Cheers and Goodwill,</div></div></div></div><br><div class="gmail_quote">On Fri, May 24, 2013 at 4:19 AM, Qiubo Su (David Su) <span dir="ltr"><<a href="mailto:qiubosu@gmail.com" target="_blank">qiubosu@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">
<p style="margin-bottom:0cm">Dear OpenNebula Community,</p><p style="margin-bottom:0cm">I want to install/configure a virtual LAN (<a href="http://192.168.120.0/24" target="_blank">192.168.120.0/24</a>) in one dedicated root server in data center. </p>
<p style="margin-bottom:0cm">eth0 is the physical interface of this root server. virbr0 is the default virtual LAN switch provided by libvirtd (virbr0-nic is the correspondent virtual interface of virbr0). the virtual network switch is in NAT mode. a VM in this virtual LAN, and some applications runs in this VM. for externally accessing the applications (e.g. web server) run in the VM, need to use iptables command similar as below:</p>
<p style="margin-bottom:0cm">"</p><p style="margin-bottom:0cm">LAN="virbr0"<br>WAN="eth0"<br>LAN_IP="192.168.120.1"<br>WAN_IP="172.20.85.28"<br>VM_IP="192.168.120.100"<br>
</p>
<p>iptables -t nat -A PREROUTING -p tcp
-d $WAN_IP --dport 80 -j DNAT --to-destination
$VM_IP</p>
<p>iptables -t nat -A POSTROUTING -p tcp
-d $LAN_IP --dport 80 -j SNAT --to-source $VM_IP</p>
<p>iptables -t nat -A OUTPUT -p tcp -d $WAN_IP --dport 80 -j DNAT --to-destination $VM_IP</p>
<p>iptables -i FORWARD -p tcp -m tcp
--in-interface $WAN --out-interface $LAN -d $VM_IP
--dport 80 --j ACCEPT</p><p>"</p><p>however after running the .sh script with the above iptables command, get below error</p><p>"</p><p>iptables v1.4.12: multiple -i flags not allowed</p>
<p>Try `iptables -h' or 'iptables --help' for more information.</p><p>"</p><p>run the .sh script after commenting out the command "iptables -i FORWARD -p tcp -m tcp --in-interface $WAN --out-interface $LAN -d $VM_IP --dport 80 --j ACCEPT", there is no error in the output. but only can locally access the VM web server with the registered domain name (i.e. can locally access the website hosted in the VM web server, within the virtual LAN scope), but can't externally access the website hosted in this VM web server.</p>
<p>there may be some problem with this iptables .sh script. it is much appreciated if anyone can assist with this.</p><p>thanks,<br>Q.S.</p></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>w: <a href="http://databus.ro/blog" target="_blank">http://databus.ro/blog</a><div>in: <a href="http://www.linkedin.com/pub/valentin-bud/9/881/830" target="_blank">http://www.linkedin.com/pub/valentin-bud/9/881/830</a></div>
<div>t: <a href="https://twitter.com/valentinbud" target="_blank">https://twitter.com/valentinbud</a></div>
</div></div></div>