Re: [tlug] Any iptables wizards around?

[Christian Horn <chorn@example.com>]

On Fri, Mar 25, 2011 at 03:56:14PM +0900, Andreas Kieckens wrote:
> 
> I've got a host with 2 qemu virtual machines in it. They're set up
> bridged with a tap interface so they both have their own ip address
> and are accessible from the outside.
> 
> Their ips are:
> VM1: 10.1.0.10
> VM2: 10.1.0.11
> Netmask for both: 255.255.255.0

br0 has also an an ip from 10.1.0.0/24?


> Now I am trying to add iptables rules to the host machine to nat
> both virtual machines to subnet 172.16.0.0/24. I use the following
> rules for this.
> 
> iptables -P FORWARD DROP
> iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT
> iptables -A FORWARD -d 10.1.0.0/24 -j ACCEPT
> iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT
> iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -t nat -A POSTROUTING -s 10.1.0.10 -j SNAT --to 172.16.0.10
> iptables -t nat -A POSTROUTING -s 10.1.0.11 -j SNAT --to 172.16.0.11

- if you want to do NAT, make sure br0 has an ip.  eth0 shouldnt 
be enslaved to br0 then
- separate your problems: start without filering, just doing NAT (so the
   -t nat rules). Once that works add the filering.
- for NAT you will also have to enable ip-forwarding, i.e. via sysctl
- regarding your nat-rules: havent played with this syntax yet, but using
	iptables -t nat -A POSTROUTING -s 10.1.0.0/24 -j MASQUERADE
should work (and does here in virtual machine setups)