From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 16 Dec 2004 - 15:08:08 GMT
On Thu, Dec 16, 2004 at 08:14:05AM +1030, Darryl Ross wrote:
> Herbert Poetzl wrote:
> >first, the nat table is not relevant for linux-vserver
> >as there is nothing to 'forward'.
> The nat table doesn't just handle forwarded packets. If you notice the
> chains are PREROUTING and POSTROUTING. PREROUTING matches all packets
> coming into the system, whether they will be subsequenctly routed to
> another machine or not, and POSTROUTING matches all packets leaving the
> system, whether they were locally generated or forwarded from another
> interface. The only chain that is not relevant to locally generated
> packets is the FORWARD chain in the filter table.
yep, you are completely right with that, forgot
about PRE/POSTROUTING which traverses the nat table
> >second as it is very likely a configuration issue, what
> >does a tcpdump on the 'host' show, when you do a simple
> >connect to a web server (like: telnet google.com 80)
> He hasn't posted a response, but it will show packets leaving eth0 with
> a source address of the vserver.
that is what I expected somehow, but we won't know
for sure ...
> >third, what is your network setup, and what does your
> >gateway (router) do/allow?
> His original message said the vserver was bound to eth1 on a 'black' IP
> address and eth0 is directly on the Internet with a dynamic IP address,
> presumably through a cable modem or similar. There would be no gateway,
> no router, as his linux box is doing that.
> Vincenzo, try adding a rule similar to the following:
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
won't work (actually that was what I wanted to say
in the first place) because MASQUERADE is not what
you want for locally originating connections, you
actually want to use SNAT for that ...
... -j SNAT --to-source <public ip>
> You should of course read up on Linux firewalling, the Linux Advanced
> Routing HOWTO would be a good place to start.
> Vserver mailing list
Vserver mailing list