About this list Date view Thread view Subject view Author view Attachment view

From: Vincenzo Agosto (netstat_at_email.it)
Date: Tue 21 Dec 2004 - 22:26:00 GMT


Herbert Poetzl wrote:
> On Fri, Dec 17, 2004 at 06:47:11PM +0100, Vincenzo Agosto wrote:
>
>>Herbert Poetzl wrote:
>>
>>>On Tue, Dec 14, 2004 at 05:45:08PM +0100, Vincenzo Agosto wrote:
>>>
>>>
>>>>Darryl Ross wrote:
>>>>
>>>>
>>>>>Vincenzo Agosto wrote:
>>>>>
>>>>>| and nothing...
>>>>>| but ping ftp2.it.debian.org is OK
>>>>>| Some idea?
>>>>>
>>>>>I have found that pings always seem to come from the real IP address of
>>>>>the machine, not the vserver IP address. That would be why the pings
>>>>>work.
>>>>>
>>>>>Do you have a firewall rule in place to NAT traffic from the vserver IP
>>>>>address to the real IP address?
>>>>>
>>>>>Regards
>>>>>Darryl
>>>>
>>>>nope, nothing rule
>>>>
>>>>iptables -t nat -L
>>>>Chain PREROUTING (policy ACCEPT)
>>>>target prot opt source destination
>>>>
>>>>Chain POSTROUTING (policy ACCEPT)
>>>>target prot opt source destination
>>>>
>>>>Chain OUTPUT (policy ACCEPT)
>>>>target prot opt source destination
>>>
>>>
>>>first, the nat table is not relevant for linux-vserver
>>>as there is nothing to 'forward'.
>>>
>>>second as it is very likely a configuration issue, what
>>>does a tcpdump on the 'host' show, when you do a simple
>>>connect to a web server (like: telnet google.com 80)
>>>
>>
>>If, in my vserver do telnet www.google.com 80 this is the tcpdump
>>
>>tcpdump: listening on ppp0
>>18:38:14.626102 82.48.106.27.32769 > 81.74.224.227.domain: 41553+ A?
>>www.google.akadns.net. (39) (DF)
>>18:38:14.678478 192.168.1.250.41613 > 66.102.11.99.www: S
>>3858178163:3858178163(0) win 5808 <mss 1452,sackOK,timestamp 60170371
>>0,nop,wscale 0> (DF) [tos 0x10]
>>18:38:17.669087 192.168.1.250.41613 > 66.102.11.99.www: S
>>3858178163:3858178163(0) win 5808 <mss 1452,sackOK,timestamp 60170671
>>0,nop,wscale 0> (DF) [tos 0x10]
>>
>>Appear that the connection start from server to google but nothing
>>response from google to vserver!
>
>
> yep, if google (or others) would respond to packets
> from local networks, they for sure would have a big
> problem ...
>
>
>>>third, what is your network setup, and what does your
>>>gateway (router) do/allow?
>>>
>>
>>my network setup is
>>eth0 --> Dynamic ip
>>eth1 192.168.1.254
>>eth1:condor: 192.168.1.250
>>
>>in my vserver I have
>>route
>>Kernel IP routing table
>>Destination Gateway Genmask Flags Metric Ref Use
>>Iface
>>192.168.100.1 * 255.255.255.255 UH 0 0 0 ppp0
>>192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
>>default 192.168.100.1 0.0.0.0 UG 0 0 0 ppp0
>>
>>in my server
>>Kernel IP routing table
>>Destination Gateway Genmask Flags Metric Ref Use
>>Iface
>>192.168.100.1 * 255.255.255.255 UH 0 0 0 ppp0
>>localnet * 255.255.255.0 U 0 0 0 eth1
>>default 192.168.100.1 0.0.0.0 UG 0 0 0 ppp0
>
>
> okay, I'd say you want a rule like this on your host:
>
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j SNAT
> --to-source <dynamic-ip>
>
> HTH,
> Herbert
>
>
>>best regard
>>Vincenzo
>>
>>
>>
>
>
Liam Helmer wrote:
> On Sat, 2004-12-18 at 12:28 +0100, Vincenzo Agosto wrote:
>
>>Herbert Poetzl wrote:
>>IP=`ifconfig ppp0 | grep inet | cut -d: -f2 | awk {'print $1'}`
>>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j
>>SNAT --to-source $IP
>>same problem :(
>
>
> Wanna try quoting a little less message? ;)
>
> Add "-i ppp0" to the above line, it'll work better (e.g. -A POSTROUTING
> -i ppp0)
>
> Try a tcpdump now. If there's a problem, it may be that you're missing
> allow rules:
>
> iptables -I INPUT -i ppp0 -m state --state established,related -j >ACCEPT
> iptables -I OUTPUT -o ppp0 -s 192.168.-j ACCEPT
>
> That may help.
>
> Cheers,
> Liam
>
>
>
Then.... I add this iptables rules
iptables -I INPUT -i ppp0 -m state --state established,related -j ACCEPT
iptables -I OUTPUT -o ppp0 -s 192.168.1.250 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -d !
192.168.1.0/24 -j SNAT --to-source <MY IP>
next enter in my vserver:
<VSERVER> apt-get update
0% [Connecting to ftp2.it.debian.org (213.156.32.111)]
0% [Connecting to ftp2.it.debian.org (213.156.32.111)]

This is the tcpdump in my server
<SERVER>
tcpdump: listening on ppp0
23:16:21.349582 192.168.1.250.46497 > 213.156.32.111.www: S
2478732283:2478732283(0) win 5808 <mss 1452,sackOK,timestamp 96399039
0,nop,wscale 0> (DF)
23:16:24.349087 192.168.1.250.46497 > 213.156.32.111.www: S
2478732283:2478732283(0) win 5808 <mss 1452,sackOK,timestamp 96399339
0,nop,wscale 0> (DF)
23:16:30.349088 192.168.1.250.46497 > 213.156.32.111.www: S
2478732283:2478732283(0) win 5808 <mss 1452,sackOK,timestamp 96399939
0,nop,wscale 0> (DF)
23:16:42.349084 192.168.1.250.46497 > 213.156.32.111.www: S
2478732283:2478732283(0) win 5808 <mss 1452,sackOK,timestamp 96401139
0,nop,wscale 0> (DF)

bye
Vincenzo

-- 
   иииииииииииииииииииииииииииииииииииииииииииииииии
   и     .--.                                 _    и
   и    |o_o |     Vincenzo                 /   \  и
   и    |:_/ |                             |  () | и
   и   //   \ \                            |  \_/  и
   и  (|     | )                            \      и
   и /'\_   _/`\                              \    и
   и \___)=(___/                           debian  и
   иииииииииииииииииииииииииииииииииииииииииииииииии
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 21 Dec 2004 - 22:26:12 GMT by hypermail 2.1.3