From: Nolan D. <no...@th...> - 2006-01-31 23:37:08
|
Hello. If there is an answer to this somewhere in the FAQ or documentation then do let me know, but I've yet to find it. :) My home network consists of one physical server running a firewall and hosting two vservers (http://www.linux-vserver.org/). I'd like to host various services on these servers and treat them like real firewalled servers, but while traffic leaves them just fine, it is impossible to use DNAT to forward ports to them. I've followed the two-interface quickstart guide, and I have everything working but this. That is, the traffic I want leaving the firewall leaves, and the traffic I want blocked is blocked. I'm SNATing several desktops and wireless clients behind the firewall just fine. Additionally, I can initiate outbound connections from my vservers just fine, and they function quite nicely, other than not being reachable via any DNAT rules I try patterned off of those in the quickstart guide. I followed the instructions in the FAQ concerning clearing the number of DNATed packets and running "shorewall show nat". Sure enough, packets are reaching the server, and the FAQ indicates that my gateway is set incorrectly on the vserver. I've posted a similar query to the vserver list, and here are some excerpts of the reply I received: --- as the guests reside on the firewall, they will not 'forward' packets to the host, instead they will, as the networking _is_ on the host, simply use the host routing to send and/or receive packets ... now, that means two things, one which you seem to have mastered already, namely SNAT-ing the outgoing traffic to the public IP, nevertheless I'll mention it here again so that we know what we are talking about: basically a rule like this (no idea how to do that with shorewall) allows your guests to reach the big world ... iptables -t nat -I POSTROUTING -s 192.168.0.2 -j SNAT --to 123.45.67.89 you can spice that up with outgoing interface and/or use a special chain for all guests, or just repeat it for every guest ... now for incoming traffic, you have to do a similar trick to 'map' the public IP (which will be reached from the outside) to your guests ... note: this is _not_ required for packets reaching the machine on the 192.168.0.x network as they will already use the proper interface and address something like iptables -t nat -I PREROUTING -i eth0 -d 123.45.67.89 \ -p tcp --dport 2222 -j DNAT --to 192.168.0.2:22 should allow you to reach the first guest's sshd (assumed it doesn't clash with the host's sshd) from the outside .. of course, the previous SNAT rule is required to get the replies back ... --- As the snippet mentions, I seem to have accomplished the first part in shorewallese. How would I go about implementing the second rule, the one to DNAT the inbound SSH connection if the DNAT rules in the documentation aren't up to the task? Or is this something that shorewall isn't made to accomplish, as the networking for the vservers is all happening on the host system? I've distilled what I am trying to do down to one simple (hopefully :) task. My external interface eth0 in zone net is at 66.93.216.223. I'd like to forward any SSH connections to 66.93.216.223 to 192.168.0.3. 0.3 is a vserver running sshd and hosting a number of useful shell apps but no servers. The DNAT rule examples in the documentation cannot accomplish this because I cannot set a gateway in the vserver. Is there any way to accomplish this with shorewall? If not, is there another virtualization solution that would work better? I, unfortunately, can't obtain any additional physical servers at the moment, but still wish the benefits of multiple, separate virtual spaces. Statistics: # shorewall version 3.0.4 # ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:9f:0e:5a:25 brd ff:ff:ff:ff:ff:ff inet 66.93.216.223/24 brd 66.93.216.255 scope global eth0 inet 192.168.0.3/24 brd 192.168.0.255 scope global eth0 inet 192.168.0.2/24 brd 192.168.0.255 scope global secondary eth0 inet6 fe80::2c0:9fff:fe0e:5a25/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:9f:0e:5a:24 brd ff:ff:ff:ff:ff:ff inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1 inet6 fe80::2c0:9fff:fe0e:5a24/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 # ip route 66.93.216.0/24 dev eth0 proto kernel scope link src 66.93.216.223 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3 default via 66.93.216.1 dev eth0 Please let me know if there is any additional information I can provide. I've been googling and asking about this for some time now, and am not quite sure where to go from here. Thanks a bunch. |