To quickly answer this...removing the -i options seemed to break the WAN for
everything except the HOST. PCs and VServer Guests failed to reach the WAN.
Stu
On 10/24/07, Nikolay Kichukov <hijacker@oldum.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
> Just a quick read of the problem brought me to those 3 lines:
>
> iptables -P FORWARD DROP
> iptables -A FORWARD -i ${LAN} -s 10.50.50.0/255.255.255.0 -j ACCEPT
> iptables -A FORWARD -i ${WAN} -d 10.50.50.0/255.255.255.0 -j ACCEPT
>
> What if you skip the -i option?
>
> Packets that originate from the guest normally come out from the
> loopback interface of the host.
>
> HTH,
> - -Nik
>
>
> Stuart Lester wrote:
> > Ladies and Gentlemen,
> > I've spent the better part of the last 3 work days pouring over how to
> do
> > what I'm about to ask. I feel that I'm a fairly strong admin, but this
> task
> > has certainly revealed my weakness -- advanced routing!
> > I've gone over the site docs, faqs, mailing lists, and spoken with some
> > helpful people on the IRC channels, but to no avail.
> >
> > My situation is this. I'm trying to get together a Linux gateway that
> will
> > also contain one or more vservers (so far just one). This gateway will
> go
> > in front of our local network and interface with the external WAN on
> eth0,
> > and will serve as the gateway for the LAN on eth1. This part I have
> working
> > just fine. The problem is when I try to add a vserver guest into the
> mix.
> >
> > I-Net
> > |
> > Cable Modem
> > |
> > Linksys Router (will go away eventually)
> > 192.168.100.1
> > |
> > 192.168.100.x subnet
> > |
> > eth0/192.168.100.254
> > Gateway/VServer Host
> > eth1/10.50.50.1
> > |
> > 10.50.50.x subnet --- PC's and such
> > |
> > eth1/10.50.50.10
> > VServer Guest
> >
> > From a PC on the 10.50.50.x subnet, I can ping the WAN, the Gateway/Host
> (
> > 10.50.50.1), and the Guest (10.50.50.10)
> >
> > From the Gateway/Host, I can ping the local IP (10.50.50.1), the Guest (
> > 10.50.50.10), the PC on the LAN, and the WAN
> >
> > From the Vserver/Guest, I can ping the local IP (10.50.50.10), the
> > Gateway/Host (10.50.50.1), and the local PC, but NOT anything outside of
> the
> > 10.50.50.x subnet:
> > GUEST ~ # ping 192.168.100.1
> > connect: Invalid argument
> >
> > I'm fairly convinced that I need to set up some routes/rules with
> alternate
> > tables, but I've been wholly unsuccessful in this endeavor. My most
> recent
> > (and promising) lead was this mailing list message:
> > http://archives.linux-vserver.org/200704/0030.html
> > I have also tried: http://archives.linux-vserver.org/200311/0470.html
> >
> > Unfortunately, however, I believe that isn't quite the same setup as I
> am
> > trying to have the host be a gateway rather than just have two different
> > NICs.
> >
> > Finally, here is my (gentoo) network config:
> >
> > # /etc/conf.d/net
> > config_eth0=( "192.168.100.254/24" )
> > config_eth1=(
> > "10.50.50.1/24"
> > "10.50.50.10/24"
> > )
> > routes_eth0=( "192.168.100.0/24 src 192.168.100.254 table 192net1")
> > routes_eth1=( "10.50.50.0/24 src 10.50.50.10 table 192net2")
> > routes_eth1=( "10.50.50.0/24 src 10.50.50.1 table 192net2")
> > routes_eth0=( "default via 192.168.100.1 table 192net1" )
> > routes_eth1=( "default via 10.50.50.1 table 192net2" )
> > routes_eth0=( "default via 192.168.100.1" )
> > rules_eth0=( "from 192.168.100.0/24 table 192net1")
> > rules_eth1=( "from 10.50.50.0/24 table 192net2"
> >
> > #/root/bin/iptables.sh
> > export LAN=eth1
> > export WAN=eth0
> > iptables -F
> > iptables -t nat -F
> > iptables -P INPUT ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD DROP
> > iptables -A FORWARD -i ${LAN} -s 10.50.50.0/255.255.255.0 -j ACCEPT
> > iptables -A FORWARD -i ${WAN} -d 10.50.50.0/255.255.255.0 -j ACCEPT
> > iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
> > /etc/init.d/iptables save
> >
> > I'm going a little bit batty trying to get this working...I think I'm
> close,
> > but this is just an odd/nonstandard config. Please, any assistance you
> can
> > offer would be wonderful.
> >
> > Stu
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEVAwUBRx8lMjFLYVOGGjgXAQKW4ggA3ACr0sWdZOrPUkJ0xzB1FgX02GLqlmq6
> Q5MvDTmZWEWGy3x3crBHjKaJ42VuBd0nqaL0tzcSGy7CMtx1R5SOOTAwlStjettd
> BsK4JMYtyt+cDMMR2Ke8hcYoCbYiRv7IeQxI+IEmabprDyN6kBbJ1UsTZwmqLWVt
> uFhrK6uKEesWphiiX5bUK7mGopBBl+SySBmVeNcxVbfe1/L59xLwW4aYhbMbSMER
> Np3/a+VBIzzsAxfPo4hF1FAZQh5GP3TCrmnKUGvu1/SwZv1El2/fqe5oKQ5MsxxI
> NgOuQCDl4jSN0ykfiKL3DmfProx62Vjyb2VPvtz82xArcMRy4s7V0Q==
> =I+5+
> -----END PGP SIGNATURE-----
>
Received on Wed Oct 24 19:44:21 2007