Re: [Vserver] routing between host and guest

[ADNET Ghislain]

From what i got it seems that the traffic from host to guest goes by the lo interface. The logs indicate that it does not DNAT from lo :

Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 pre10.11.1.1  all  --  lo     *       0.0.0.0/0            
my.pub.lic.ip
 1389 79355 pre10.11.1.1  all  --  *      *       0.0.0.0/0            
my.pub.lic.ip



regards,
Ghislain.



server:/usr/local/.aqadmin/home%(aqadmin)> ifconfig
eth0      Lien encap:Ethernet  HWaddr 00:30:48:80:35:98
          inet adr:my.pub.lic.ip  Bcast:my.public.net.255  
Masque:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50547354 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46120605 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100
          RX bytes:967618327 (922.7 MiB)  TX bytes:208844340 (199.1 MiB)
          Adresse de base:0xb000 Mémoire:f0000000-f0020000

eth0:1111 Lien encap:Ethernet  HWaddr 00:30:48:80:35:98
          inet adr:10.11.1.1  Bcast:0.0.0.0  Masque:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Adresse de base:0xb000 Mémoire:f0000000-f0020000

lo        Lien encap:Boucle locale
          inet adr:127.0.0.1  Masque:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:188383 errors:0 dropped:0 overruns:0 frame:0
          TX packets:188383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:0
          RX bytes:24591743 (23.4 MiB)  TX bytes:24591743 (23.4 MiB)



server:/usr/local/.aqadmin/home%(aqadmin)> sudo iptables -L -vn
Chain INPUT (policy ACCEPT 51M packets, 30G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 46M packets, 3496M bytes)
 pkts bytes target     prot opt in     out     source               destination


server:/usr/local/.aqadmin/home%(aqadmin)> sudo iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes)
 pkts bytes target     prot opt in     out     source               destination
  666 34304 pre10.11.1.1  all  --  *      *       0.0.0.0/0            
my.pub.lic.ip

Chain POSTROUTING (policy ACCEPT 9432 packets, 644K bytes)
 pkts bytes target     prot opt in     out     source               destination
    8   518 post10.11.1.1  all  --  *      *       10.11.1.1           
!10.11.1.1

Chain OUTPUT (policy ACCEPT 34439 packets, 2175K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain post10.11.1.1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
   74  4562 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:my.pub.lic.ip

Chain pre10.11.1.1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  666 34304 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        to:10.11.1.1


server:/usr/local/.aqadmin/home%(aqadmin)> telnet my.pub.lic.ip 80
Trying my.pub.lic.ip...
telnet: Unable to connect to remote host: Connection refused



server:/usr/local/.aqadmin/home%(aqadmin)> telnet 10.11.1.1 80
Trying 10.11.1.1...
Connected to 10.11.1.1.
Escape character is '^]'.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a 
href="http://notebl01.aqserver.net/apache2-default/";>here</a>.</p>
<hr>
<address>Apache/2.0.54 (Debian GNU/Linux) </address>
</body></html>
Connection closed by foreign host.


server:/usr/local/.aqadmin/home%(aqadmin)> sudo sysctl -a |grep forward
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1



I got this on the logs:






seems that it does not NAT for lo ?
        
regards,
Ghislain.

Feb 9 12:30:30 server kernel: OUTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: POSTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0 my log rule in postroute is triggered bu not he one i put in prerouting is it normal that traffic on "lo" bypass PREROUTING or do i made a mistake here ? Feb 9 12:30:30 server kernel: OUTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: POSTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0 Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0 Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0

Hello,




using 2.16.19.2 with 2.2.0rc10 patch on debian


------------------------------------------------------------------------

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

I have some trouble with the routing between host and guest. I have guest having a 10.x ip and a public ip different from the host public IP. I have setup DNAT and SNAT between the 10.x and guest publicip and it works from outside but i cannot telnet port 80 into my guest from the host nor telnet on my guest public ip from inside the guest itself. Anyone can point a little "how-to" on this i googled but failed to find one ?

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver