On Thu, Dec 16, 2004 at 08:14:05AM +1030, Darryl Ross wrote: > Herbert Poetzl wrote: > > >first, the nat table is not relevant for linux-vserver > >as there is nothing to 'forward'. > > The nat table doesn't just handle forwarded packets. If you notice the > chains are PREROUTING and POSTROUTING. PREROUTING matches all packets > coming into the system, whether they will be subsequenctly routed to > another machine or not, and POSTROUTING matches all packets leaving the > system, whether they were locally generated or forwarded from another > interface. The only chain that is not relevant to locally generated > packets is the FORWARD chain in the filter table.
yep, you are completely right with that, forgot about PRE/POSTROUTING which traverses the nat table > >second as it is very likely a configuration issue, what > >does a tcpdump on the 'host' show, when you do a simple > >connect to a web server (like: telnet google.com 80) > > He hasn't posted a response, but it will show packets leaving eth0 with > a source address of the vserver. that is what I expected somehow, but we won't know for sure ... > >third, what is your network setup, and what does your > >gateway (router) do/allow? > > His original message said the vserver was bound to eth1 on a 'black' IP > address and eth0 is directly on the Internet with a dynamic IP address, > presumably through a cable modem or similar. There would be no gateway, > no router, as his linux box is doing that. > > Vincenzo, try adding a rule similar to the following: > > iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE won't work (actually that was what I wanted to say in the first place) because MASQUERADE is not what you want for locally originating connections, you actually want to use SNAT for that ... ... -j SNAT --to-source <public ip> > You should of course read up on Linux firewalling, the Linux Advanced > Routing HOWTO would be a good place to start. thanks, Herbert > HTH, > Darryl > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
