Answer the question
In order to leave comments, you need to log in
D
D
Daniel Newman2012-10-18 23:35:14
Daniel Newman, 2012-10-18 23:35:14
What is the correct iptables to avoid looping when exiting through a forwarded port?
There is a hill of KVM guests on the host server, guests are breaking through the 80th port outside to get updates of rpm / yum ... packages, stretch out curl, etc. But all these requests are filed to the local http server for a number of reasons in the iptables of the host machine:
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80It looks something like this:
+----------------------------+
| Debian KVM-Host | iptables -t nat -I PREROUTING -p tcp \
| eth0: 5.5.5.5 | --dport 80 -j DNAT --to-destination 10.10.10.110:80
| vmbr1: 10.10.10.1 |
+--------+-------------------+
|
+--------+------------+
| nginx 10.10.10.110 |
+---------------------+
| | |
| | | +---------------------+
| | +----| Guest1 10.10.10.123 |
| | +---------------------+
| | +---------------------+
| +---| Guest1 10.10.10.122 |
| +---------------------+
| +---------------------+
+---| Guest1 10.10.10.121 |
+---------------------+
Let's say I pull
wget yandex.ruwith Guest3 10.10.10.123, and in my nginx proxy 10.10.10.110all unfamiliar requests are redirected to Guest2 10.10.10.122, and Plesk on it, and this very splash tells me that the default page for this server ... and gives it to me. Yes, and 10.10.10.110 itself, according to the rule of the host machine, passes all attempts to leave the network through itself and 10.10.10.122sends it back. The Internet addresses themselves are correctly resolved (other ports), but who cares. So, I don’t understand how to “break apart” this situation for me. Help, please, kind people, with such a rule that all external addresses would be
!10.10.10.0/24sent through NAT and outside the host machine.
4 answer(s)
@danielnewman
@oldbay
@danielnewman
add the
“with all the protocol packets
"go to internal chain of rules: 'change packet destination address to 10.10.10.110:80'"
Right so far?
A
Akint, 2012-10-19 @danielnewman
iptables -t nat -I PREROUTING -p tcp -d 5.5.5.5 --dport 80 -j DNAT --to 10.10.10.110:80
All tcp packets arriving at 5.5.5.5:80 will be redirected to 10.10.10.110:80
iptables -t nat -I POSTROUTING -p tcp -s 10.10.10.0/24 --dport 80 -o eth0 -j SNAT --to 5.5.5.5
Guests breaking out on the 80th port will change the source address to 5.5.5.5
It?
O
oldbay, 2012-10-19 @oldbay
And if so:
iptables -t nat -I PREROUTING -p tcp -d 10.10.10.0/24 --dport 80 -j DNAT --to-destination 10.10.10.110:80
or for a range
iptables -t nat -I PREROUTING -p tcp -m iprange --dst-range 10.10.10.120-10.10.10.150 --dport 80 -j DNAT --to-destination 10.10.10.110:80
*10.10.10.120-10.10.10.150 - range allocated for guest hosts.
D
Daniel Newman, 2012-10-19 @danielnewman
I will describe how I myself understand my iptables.
iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80add the
natfollowing rule to the table for incoming packets:PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80“with all the protocol packets
tcpthat came to the 80th port (maybe it is necessary to explicitly indicate “the packet that came from outside” here, or do you need to specify the interface address 5.5.5.5?) proceed as follows”-j DNAT --to-destination 10.10.10.110:80"go to internal chain of rules: 'change packet destination address to 10.10.10.110:80'"
Right so far?
Similar questions
T
tostuser2015-09-10 21:08:36
You don't have permission to access /index.php on this server. Why?
1Reply
I
S
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question