Re: [Vserver] routing between host and guest

From: ADNET Ghislain <gadnet_at_aqueos.com>
Date: Fri 09 Feb 2007 - 12:39:46 GMT
Message-ID: <45CC6B92.2050306@aqueos.com>

 From what i got it seems that the traffic from host to guest goes by the lo interface. The logs indicate that it does
not DNAT from lo :

Feb 9 12:30:30 server kernel: OUTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: POSTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip
DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0
WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip
DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0
RES=0x00 ACK RST URGP=0

  my log rule in postroute is triggered bu not he one i put in prerouting is it normal that traffic on "lo" bypass
PREROUTING or do i made a mistake here ?

Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes)
  pkts bytes target prot opt in out source destination
     0 0 pre10.11.1.1 all -- lo * 0.0.0.0/0 my.pub.lic.ip
  1389 79355 pre10.11.1.1 all -- * * 0.0.0.0/0 my.pub.lic.ip

regards,
Ghislain.

server:/usr/local/.aqadmin/home%(aqadmin)> ifconfig
eth0 Lien encap:Ethernet HWaddr 00:30:48:80:35:98
           inet adr:my.pub.lic.ip Bcast:my.public.net.255 Masque:255.255.255.240
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           RX packets:50547354 errors:0 dropped:0 overruns:0 frame:0
           TX packets:46120605 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:100
           RX bytes:967618327 (922.7 MiB) TX bytes:208844340 (199.1 MiB)
           Adresse de base:0xb000 Mémoire:f0000000-f0020000

eth0:1111 Lien encap:Ethernet HWaddr 00:30:48:80:35:98
           inet adr:10.11.1.1 Bcast:0.0.0.0 Masque:255.255.255.255
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           Adresse de base:0xb000 Mémoire:f0000000-f0020000

lo Lien encap:Boucle locale
           inet adr:127.0.0.1 Masque:255.0.0.0
           UP LOOPBACK RUNNING MTU:16436 Metric:1
           RX packets:188383 errors:0 dropped:0 overruns:0 frame:0
           TX packets:188383 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 lg file transmission:0
           RX bytes:24591743 (23.4 MiB) TX bytes:24591743 (23.4 MiB)

server:/usr/local/.aqadmin/home%(aqadmin)> sudo iptables -L -vn
Chain INPUT (policy ACCEPT 51M packets, 30G bytes)
  pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 46M packets, 3496M bytes)
  pkts bytes target prot opt in out source destination

server:/usr/local/.aqadmin/home%(aqadmin)> sudo iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 4601 packets, 239K bytes)
  pkts bytes target prot opt in out source destination
   666 34304 pre10.11.1.1 all -- * * 0.0.0.0/0 my.pub.lic.ip

Chain POSTROUTING (policy ACCEPT 9432 packets, 644K bytes)
  pkts bytes target prot opt in out source destination
     8 518 post10.11.1.1 all -- * * 10.11.1.1 !10.11.1.1

Chain OUTPUT (policy ACCEPT 34439 packets, 2175K bytes)
  pkts bytes target prot opt in out source destination

Chain post10.11.1.1 (1 references)
  pkts bytes target prot opt in out source destination
    74 4562 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:my.pub.lic.ip

Chain pre10.11.1.1 (1 references)
  pkts bytes target prot opt in out source destination
   666 34304 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:10.11.1.1

server:/usr/local/.aqadmin/home%(aqadmin)> telnet my.pub.lic.ip 80
Trying my.pub.lic.ip...
telnet: Unable to connect to remote host: Connection refused

server:/usr/local/.aqadmin/home%(aqadmin)> telnet 10.11.1.1 80
Trying 10.11.1.1...
Connected to 10.11.1.1.
Escape character is '^]'.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved here.</p>
<hr>
<address>Apache/2.0.54 (Debian GNU/Linux) </address>
</body></html>
Connection closed by foreign host.

server:/usr/local/.aqadmin/home%(aqadmin)> sudo sysctl -a |grep forward
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

I got this on the logs:

Feb 9 12:30:30 server kernel: OUTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: POSTROUTEIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64
ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0 WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip
DST=my.pub.lic.ip LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=14753 DF PROTO=TCP SPT=42145 DPT=80 SEQ=3647414246 ACK=0
WINDOW=32792 RES=0x00 SYN URGP=0
Feb 9 12:30:30 server kernel: OUTPUTIN= OUT=lo SRC=my.pub.lic.ip DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0 RES=0x00 ACK RST URGP=0
Feb 9 12:30:30 server kernel: INPUTIN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=my.pub.lic.ip
DST=my.pub.lic.ip LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=42145 SEQ=0 ACK=3647414247 WINDOW=0
RES=0x00 ACK RST URGP=0

seems that it does not NAT for lo ?
        
regards,
Ghislain.

> Hello,
>
> I have some trouble with the routing between host and guest. I have
> guest having a 10.x ip and a public ip different from the host public
> IP. I have setup DNAT and SNAT between the 10.x and guest publicip and
> it works from outside but i cannot telnet port 80 into my guest from the
> host nor telnet on my guest public ip from inside the guest itself.
> Anyone can point a little "how-to" on this i googled but failed to find
> one ?
>
>
> using 2.16.19.2 with 2.2.0rc10 patch on debian
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Received on Fri Feb 9 16:51:45 2007
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 09 Feb 2007 - 16:52:18 GMT by hypermail 2.1.8