What is the correct iptables to avoid looping when exiting through a forwarded port?

D

Daniel Newman2012-10-18 23:35:14

System administration

Daniel Newman, 2012-10-18 23:35:14

There is a hill of KVM guests on the host server, guests are breaking through the 80th port outside to get updates of rpm / yum ... packages, stretch out curl, etc. But all these requests are filed to the local http server for a number of reasons in the iptables of the host machine:

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80

It looks something like this:


+----------------------------+
| Debian KVM-Host            |       iptables -t nat -I PREROUTING -p tcp \
| eth0:  5.5.5.5             |         --dport 80 -j DNAT --to-destination 10.10.10.110:80
| vmbr1: 10.10.10.1          |
+--------+-------------------+
         |
+--------+------------+
| nginx  10.10.10.110 |
+---------------------+
    |      |      | 
    |      |      |    +---------------------+
    |      |      +----| Guest1 10.10.10.123 |
    |      |           +---------------------+
    |      |   +---------------------+
    |      +---| Guest1 10.10.10.122 |
    |          +---------------------+
    |   +---------------------+
    +---| Guest1 10.10.10.121 |
        +---------------------+

Let's say I pull wget yandex.ruwith Guest3 10.10.10.123, and in my nginx proxy 10.10.10.110all unfamiliar requests are redirected to Guest2 10.10.10.122, and Plesk on it, and this very splash tells me that the default page for this server ... and gives it to me. Yes, and 10.10.10.110 itself, according to the rule of the host machine, passes all attempts to leave the network through itself and 10.10.10.122sends it back. The Internet addresses themselves are correctly resolved (other ports), but who cares.

So, I don’t understand how to “break apart” this situation for me. Help, please, kind people, with such a rule that all external addresses would be !10.10.10.0/24sent through NAT and outside the host machine.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Akint, 2012-10-19
@danielnewman

iptables -t nat -I PREROUTING -p tcp -d 5.5.5.5 --dport 80 -j DNAT --to 10.10.10.110:80
All tcp packets arriving at 5.5.5.5:80 will be redirected to 10.10.10.110:80
iptables -t nat -I POSTROUTING -p tcp -s 10.10.10.0/24 --dport 80 -o eth0 -j SNAT --to 5.5.5.5
Guests breaking out on the 80th port will change the source address to 5.5.5.5
It?

O

oldbay, 2012-10-19
@oldbay

And if so:
iptables -t nat -I PREROUTING -p tcp -d 10.10.10.0/24 --dport 80 -j DNAT --to-destination 10.10.10.110:80
or for a range
iptables -t nat -I PREROUTING -p tcp -m iprange --dst-range 10.10.10.120-10.10.10.150 --dport 80 -j DNAT --to-destination 10.10.10.110:80
*10.10.10.120-10.10.10.150 - range allocated for guest hosts.

D

Daniel Newman, 2012-10-19
@danielnewman

I will describe how I myself understand my iptables.

iptables -t nat -I PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80

add the natfollowing rule to the table for incoming packets:

PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.10.110:80

“with all the protocol packets tcpthat came to the 80th port (maybe it is necessary to explicitly indicate “the packet that came from outside” here, or do you need to specify the interface address 5.5.5.5?) proceed as follows”

-j DNAT --to-destination 10.10.10.110:80

"go to internal chain of rules: 'change packet destination address to 10.10.10.110:80'"
Right so far?