Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[tlug] Any iptables wizards around?
- Date: Fri, 25 Mar 2011 15:56:14 +0900
- From: Andreas Kieckens <akieckens@example.com>
- Subject: [tlug] Any iptables wizards around?
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110307 Lightning/1.0b2 Lanikai/3.1.9
|
I've been trying to solve a problem with iptables for a while now. I've got a host with 2 qemu virtual machines in it. They're set up bridged with a tap interface so they both have their own ip address and are accessible from the outside. Their ips are: VM1: 10.1.0.10 VM2: 10.1.0.11 Netmask for both: 255.255.255.0 The host machine has 3 interfaces: * Eth0 which is the external interface connected to the internet * Tap0 which is the tap interface for the first VM * Tap1 which is the tap interface for the second VM These are all added to a bridge called br0 that has the external connection set up. Now I am trying to add iptables rules to the host machine to nat both virtual machines to subnet 172.16.0.0/24. I use the following rules for this. iptables -P FORWARD DROP iptables -A FORWARD -s 10.1.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.1.0.0/24 -j ACCEPT iptables -A INPUT -s 10.1.0.0/24 -j ACCEPT iptables -A INPUT -s 172.16.0.0/24 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -s 10.1.0.10 -j SNAT --to 172.16.0.10 iptables -t nat -A POSTROUTING -s 10.1.0.11 -j SNAT --to 172.16.0.11 When I try to ping google from inside VM1, I see this going through tap0. 10113.790379 10.1.0.10 -> 8.8.8.8 DNS Standard query A www.google.com 10113.834219 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1 And this through eth0. 10348.090665 172.16.0.10 -> 8.8.8.8 DNS Standard query A www.google.com 10348.134424 Cisco_42:4f:60 -> Broadcast ARP Who has 172.16.0.10? Tell 172.16.0.1 So apparently the source nat is properly happening when the dns request for google goes out but then the response doesn't know where to find 172.16.0.10. Does anyone know how to solve this? Perhaps through virtual interfaces? If possible, I would like to handle this on the host OS without tinkering with the VM's internal network settings. --
~Andreas Kieckens Author of www.rivercityretro.org. You should read it! Founder of www.gametrip.org. A gamer's travel guide. Twitter: @Metallion98. Linkedin: Public profile. |
- Follow-Ups:
- Re: [tlug] Any iptables wizards around?
- From: Attila Kinali
- Re: [tlug] Any iptables wizards around?
- From: Christian Horn
- Re: [tlug] Any iptables wizards around?
- From: Tobias Diedrich
- Re: [tlug] Any iptables wizards around?
- Prev by Date: [tlug] UNIX SysAdmin opening
- Next by Date: Re: [tlug] Any iptables wizards around?
- Previous by thread: [tlug] UNIX SysAdmin opening
- Next by thread: Re: [tlug] Any iptables wizards around?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |