From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 05 Sep 2005 - 16:07:49 BST
On Sun, Sep 04, 2005 at 11:28:53PM -0700, Hilco Wijbenga wrote:
> Thanks for your very fast response, Herbert.
> I tried what you suggested but it doesn't seem to make any difference.
> Btw, your approach seems to indicate that I need a static IP? Or at
> least that I update my firewall rules when my IP changes?
yes, unless you take measures to make dynamic IP
rewriting based on primary interface IPs work ...
but usually the IP is assigned via some script,
so it's pretty easy to update the iptables rule
there, you could even use a dedicated chain to
do that (which is simply flushed and rewritten)
> On 9/4/05, Herbert Poetzl <herbert_at_13thfloor.at> wrote:
> > your problem is that the guest send packets with
> > a source IP in the private range, but the host does
> > not SNAT them to the public IP (and masquerading does
> > not apply to host generated packets)
> > verify that with 'tcpdump -vvnei eth1 icmp' on the
> > host and a 'ping -c 1 184.108.40.206' inside the guest
> > you can fix that with an SNAT rule like this:
> > iptables -t nat -I POSTROUTING -s A.B.C.1 -j SNAT --to X.Y.Z.W
> gargoyle vservers # tcpdump -vvnei eth1 icmp
> tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
> 23:13:39.940738 xx:xx:xx:xx:xx:xx > yy:yy:yy:yy:yy:yy, ethertype IPv4
> (0x0800), length 98: IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF],
> length: 84) A.B.C.2 > 220.127.116.11: icmp 64: echo request seq 1
well, last time you listed A.B.C.1 as the guest IP,
but maybe I just got that wrong, in this case your
'magic' line would be:
iptables -t nat -I POSTROUTING -s A.B.C.2 -j SNAT --to X.Y.Z.W
with X.Y.Z.W being your 'public' ip address ...
> I get the exact same output (except for the timestamp) after adding
> the iptables rule. Did I do something wrong?
check it with the new rule, and/or extend the -s A.B.C.x to
something like -s A.B.C.0/24
> Vserver mailing list
Vserver mailing list