Le 29.05.2014 01:00, Pascal Hambourg a écrit :
On that network, I have some VMs with static IPs, and the one on
which
I try to make the configuration for testing and learning purpose
have an
apache2 server running and up ( I can query on it from my physical
computer ). It is using 2 network interfaces, a NAT one and a bridge
one, but for others I would like to remove the NAT one, since I need
them to simulate the production servers ( which are VMs too, but my
company does not control the system on which they are running.
Otherwise
it would have be far easier: I would have read how it does to
understand
things ) which only have one interface ( eth0 ).
Both LANs ( the physical one and the virtual one ) works perfectly,
but
now I would like to allow 2 things:
_ VMs to access the physical LAN, so that they could access the apt
proxy I have installed there for installing softwares and updates
- Enable IP forwarding on the host acting as a router.
# sysctl -w net.ipv4.ip_forward=1
- Presumably, you need to masquerade forwarded packets from VMs to
the
physical LAN if the physical hosts or their router doesn't have a
route
to your virtual LAN.
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
_ physical computers accessing VMs through some ports of my
computer.
For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I
will
do that port forwarding for ssh ( port 22 ), http ( port 80 ) and
postgresql ( port 5432 ) connections in a first time.
- You need port forwarding only if the physical hosts or their router
doesn't have a route to your virtual LAN.
# iptables -t nat -A PREROUTING -i eth0 -d 172.20.14.XX \
-p tcp --dport 80 -j DNAT --to 10.10.10.30
(and so on for each port)
And to add to the fun, I remember having discovered after several
hours
last week that the port forwarding rules I built did not allowed the
host computer to access the VM, at least, not when asking on host'IP
(
aka 172.20.14.XX ).
- For this you need to do the port forwarding on locally generated
packets.
# iptables -t nat -A OUTPUT -d 172.20.14.XX -p tcp --dport 80 \
-j DNAT --to 10.10.10.30
Sorry for the late reply, I did not had time to try this before. It
works! Thanks a lot ( and thanks to other people which have replied too
)
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/198c9c5a3baf38a123cc5c64bae48...@neutralite.org