From: roland <for...@gm...> - 2004-06-21 20:53:13
|
hi paolo, are you _really_ sure ? can't we have dnat with ebtables, too ? i found http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html#section4 and that looks exactly like that, what i need (can you/someone acknowledge?). what i want is redirecting a dedicated tcp port to a private ip on the host, and all i have is 4 UML ips which are connected via tun/tap bridge to the outside world. so i think of "stealing" _one_ tcp port of _one_ uml to have a connection to the HOST, which has no public ip. the packet arrives, ebtables inspects it, sees the destination ip/port and decides to rewrite the destination adress/port. sounds plausible to me - and elegant, too. i think i don't give up before one more person tells me, that won't work. thanks for the long answer/explanation so far! roland ----- Original Message ----- From: "BlaisorBlade" <bla...@ya...> To: "roland" <for...@gm...>; "uml-user" <use...@li...> Sent: Monday, June 21, 2004 9:07 PM Subject: Re: [uml-user] ebtables/bridge-nf & uml > Alle 23:20, domenica 20 giugno 2004, roland ha scritto: > > hi! > > > can bridge-nf/ebtables be used to forward/redirect a dedicated tcp port to > > a private ip/port on the host ? i.e. all traffic would go to the 4 assigned > > uml ip's and i would just "abuse" port 22222 (or whatever) of umlX to be > > redirected (at kernel level, no matter if the uml's are up or down) to > > 10.0.0.1 , tcp port 22, which is the ssh daemon listening on the host > > interface.... > > > any hint? > > Well, use iptables and the DNAT/SNAT targets on the host (which means being > root or asking to the provider). They exist exactly for this (using > --to-port). Ebtables can't help you *for this* because it works on a lower > level (i.e. ebtables speaks about MACs, not IPs; there are maybe some little > exceptions, but the general rule is the one I said). > > But, if you want to setup some public IP's on the guest and (I guess) a > private IP on the host, then you'll need a lot of work with > I-don't-know-what-hell-of-stuff, since the Uml could reach the host easily, > but the host would maybe not be known to his gateways (your provider would > probably refuse to setup them for this strange host). You could, more easily, > give one UML a private IP, to the host his public IP, and say on the host: > > #For not TCP, it goes to UML > iptables -t nat -A PREROUTING -d $Hostip ! -p tcp -j DNAT --to $UML_privateIP > #For TCP but port != 22222, it goes to UML > iptables -t nat -A PREROUTING -d $Hostip -p tcp ! --dport 22222 -j DNAT --to > $UML_privateIP > > Then you're done. This UML will be on a private IP but it will appear as if > it's on his host IP. Maybe you also want to remove and add these rules when > UML is shutdown or started... you'll probably move them on a user-defined > chains, and remove/add the call to this chain (the call must be done only for > that IP, and then it's moved out of the two rules; this could maybe also > improve filtering performances). > > Bye > -- > Paolo Giarrusso, aka Blaisorblade > Linux registered user n. 292729 > |