Martin Leben wrote:
> mess-mate wrote:
>
>> So i'd routed the dynamic ip to the vserver-host in the dmz zone as this:
>>
>> DNAT $FW dmz:192.168.20.1 tcp 80 - $ETH0_IP
>>
>> and it woks perfectly but i want to get my webpage in the vserver-guest now,
>>
>> 192.168.30.1 = the guest and 192.168.20.1 = the host of the vserver.
>>
>>
>> shorewall is the firewall in the vserver-host (192.168.20.1).
>>
>>
>> How can i dnat or forward or whatsoever all what's coming from $ETH_IP
>> to the vserver-guest ?
>>
>>
>> Changing dmz:192.168.20.1 to dmz:192.168.30.1 do not work and strange
>> enough the vserver continue receiving the requests in this case .
>>
>>
>> I know Martin said considering the vserver-host as the external ip to
>> do it, but can't know how to do it.
>>
>
>
>
> Hi!
>
> I am by NO means an expert on vserver (since I haven't even used it), but if
> I
> understand your setup from a networking perspective it looks _something_ like
> this now:
>
> (Ascii is best read using constant width font.)
>
> |
> +-----------------+
> | 86.192.36.220 |
> | firewall |
> |192.168.20.254/24|
> +-----------------+
> |
> +-----------------+
> | 192.168.20.1/24 |
> | vserver-host |
> +-----------------+
> |
> +-----------------+
> | 192.168.30.1/24 |
> | vserver-guest |
> +-----------------+
>
> ... which means that you have to use DNAT in both the "firewall" machine as
> well
> as in the "vserver-host" machine. That is unnecessary, brings more work and
> ....
> it is just bad.
>
> I suggest you give the "vserver-guest" machine the ip "192.168.20.2/24"
> instead
> by doing this:
> # cd /etc/vservers/$VSERVER/interfaces/0
> echo eth0 > dev
> echo 192.168.20.2 > ip
> echo 2 > name
> echo 24 > prefix
>
> ... as per <http://linux-vserver.org/Networking_vserver_guests>. Please
> observe
> that almost all of the rest of that article should be ignored though, if I am
> not mistaken, since it talks about DNAT:ting.
>
> If you have more questions about vserver networking, I am sure that you would
> get better help on a mailing list or forum about vserver where the vserver
> experts hang out, than you get on this list. Remember, this is a list about
> the
> Shoreline Firewall (a.k.a. shorewall), not about general Linux or vserver
> networking issues.
>
> (And I would like to repeat that I haven't used vserver myself. The above
> information was gathered by some googling and browsing the vserver website
> <http://linux-vserver.org/>.)
>
> Good luck!
> /Martin
>
>
> -------------------------------------------------------------------------
>
Thanks Martin,
i changed everything to option A (above) as last tryel.
And it doesn't work.
I think the router/firewal do not DNAT to the guest.
DNAT $FW dmz:192.168.20.10 tcp 80 - $ETH0_IP
and
ACCEPT net dmz:192.168.20.10 tcp http
or i have to set the :
Host as router
Configure the host to act as a router.
For internal packets going outside, pretend each packet came from our
external IP (put it in one line without backslash):
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-d ! 192.168.1.0/24 -j SNAT --to-source $EXTIP
For each service that runs on a vserver, map it to an external port.
Vserver local address |$VHOST| and port |$INTPORT| you select one
external port |$EXTPORT| and run the following (put it in one line
without backslash):
# iptables -t nat -A PREROUTING -s ! 192.168.1.0/24 \
-m tcp -p tcp --dport $EXTPORT
-j DNAT --to-destination $VHOST:$INTPORT
in this case i have to set shorewall on the vserver-host as above ?
And how can i do that with shorewall, dnat a second time ?
mess-mate
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
