OVH Community, your new community space.

Proxmox NAT with Virtual Macs


Myatu
05-12-2010, 12:28
Quote Originally Posted by keyjey
I get the error iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

I guess this means missing mods in the kernel ? argh
You need to do this on the host, not inside a VM. It should work, as the other "iptables" command (for allowing VMs direct access to the Internet) worked.
keyjey
05-12-2010, 02:47
***
keyjey
05-12-2010, 02:33
I get the error iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)

I guess this means missing mods in the kernel ? argh
Myatu
05-12-2010, 00:26
That's on the host:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --source 94.23.237.9 --dport 25 -j DNAT --to 10.0.10.11:25
This would setup routing for 94.23.237.9:25 --> VM (10.0.10.11:25). It shouldn't make a difference whether you specify "-i eth0" or "-i vmbr0".

If no traffic is ending up at the VM, check on the host with "tcpdump -ni eth0 port 25" and then from another session or machine "telnet 94.23.237.9 25"
keyjey
04-12-2010, 18:34
Quote Originally Posted by Myatu
Ok, so just to clarify:

Internet --> (Host:25) --> VM works.
VM --> (Host) --> Internet does not work.

Correct?
No, sorry .... never could see the 25 VM port from the internet. There was no communication, but now I can see internet from VM after your last suggestion.

So we just need to make 25 port VM visible from the internet
keyjey
04-12-2010, 18:12
Yes, after executing that iptables command VM now can see public internet, but from internet I still can't see the VM 25 port.

Should I use any iptables command to do the reverse way? I mean to go 25 VM port from the internet.

Thanks !
Myatu
04-12-2010, 14:56
Quote Originally Posted by keyjey
the VM see the host and viceversa, but VM can't go throught the NAT, so can't see internet.
Ok, so just to clarify:

Internet --> (Host:25) --> VM works.
VM --> (Host) --> Internet does not work.

Correct?

If so, you just need to add a way which makes 10.x.x.x routable over the internet (which isn't the case normally, hence you don't get any replies to Internet request). You do this using the following (on the host only):

Code:
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to --to 91.1.2.3
Where 10.0.0.0/8 is the address range you wish to permit access to the Internet (10.0.0.1-10.255.255.254 in this case) and 91.1.2.3 is the actual IP of the host.
keyjey
02-12-2010, 03:11
jdad
keyjey
02-12-2010, 03:10
Yes, I just want to use specific port, in this case just want to route port 25 from the host IP to VM throught NAT, but since I was using a secondary NIC and the VM was already copnnected to the internet, I decided to create a new CentOS VPS with just a NIC connected to HOST NAT, and here is the problem ..... the VM see the host and viceversa, but VM can't go throught the NAT, so can't see internet.

On Host:

auto vmbr0
iface vmbr0 inet static
address 94.23.237.9
netmask 255.255.255.0
network 94.23.237.0
broadcast 94.23.237.255
gateway 94.23.237.254
bridge_ports eth0
bridge_stp off
bridge_fd 0

On VM:

/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=yes
TYPE=Ethernet
IPADDR=10.0.10.11
NETMASK=255.0.0.0
GATEWAY=10.0.10.1
ARP=yes

and

etc/sysconfig/network-scripts/route-eth0
10.0.10.1 dev eth0
default via 10.0.10.1 dev eth0

And seems that NAT is not working ... can see private Class A IPs but not the internet from the VM. Oh, I also have other VMs not using NAT working without any problems on this same host.

Any idea ?

Thanks !
Myatu
01-12-2010, 18:43
Keep in mind that these instructions were for sharing the Host IP with one or more VMs.

So for example:

91.1.2.3:80 (HTTP) --> 10.0.10.1:80
=
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --source 91.1.2.3 --dport 80 -j DNAT --to 10.0.10.1:80
etc...

You can't use the Host IP's port more than once (except with some trickery or a proxy).

If you want all traffic (regardless of port) to go to a specific VM, you need to use a failover IP address instead.
keyjey
01-12-2010, 15:35
Hi, I followed your post and all was pretty easy, VMs can see internet throught the NAT, but I can't make make external connections to pass throught nad and arrive the VM.

Why can this be ?

I use Kimsufi i7-2T - ProxMox 1.6

/etc/network/interfaces

# for Routing
auto vmbr1
iface vmbr1 inet static
address 10.0.10.1
netmask 255.0.0.0
bridge_ports dummy0
bridge_stp off
bridge_fd 0
post-up /etc/pve/kvm-networking.sh

VM is a OpenVZ using this vmgr1, with IP 10.0.10.10, can ping 10.0.10.1 and also routing works, also can see internet.

Thanks and sorry for my bad english !

Greets.
Myatu
15-03-2010, 10:24
Well, unfortunately you do have to setup (D)NAT regardless of the approach, it's the nature of the beast.

You can either rewrite vmbr1 a bit, or add a vmbr2, like so:

Code:
auto vmbr2
iface vmbr2 inet static
    address 10.0.0.1
    netmask 255.0.0.0
    bridge_ports dummy0
    bridge_stp off
    bridge_fd 0
    post-up /etc/pve/kvm-networking.sh
Specify the bridge (vmbr1 or vmbr2) when you create/add a network interface to the KVM. Then within the Debian KVM, edit the /etc/network/interfaces file:

Code:
auto eth0
iface eth0 inet static
    address 10.0.0.2 # whatever you'd like in the 10.x.x.x range
    netmask 255.0.0.0
    gateway 10.0.0.1
Now you can do the port forwarding, ie from the host to a web server running on 10.0.0.2:

Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp --source MY.HO.ST.IP --dport 80 -j DNAT --to 10.0.0.2:80
Also, if you're blocking ports by default, add:

Code:
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth0 -j ACCEPT
These iptables settings don't survive a re-boot though. You can choose to use something like Shorewall (as explained in my article you referred to - Montana Linux is a slightly modified copy of that ) or use iptables-save / iptables-restore. In the latter case, add one extra line to the vmbr1 / vmbr2 stanza, like so:

Code:
auto vmbr2
iface vmbr2 inet static
    address 10.0.0.1
    # ... existing, etc ...
    post-up /sbin/iptables-restore < /etc/iptables.conf
And after you make changes with a manual "iptables" command and are satisfied it works, save it with ...

Code:
iptables-save > /etc/iptables.conf
... and it'll be reloaded after a re-boot.
brgroup
15-03-2010, 06:48
Hi,
I've been trying to fugure this one out for a bit and can't seem to get it right..On a client's EG-Best OF, we're using an untouched ProxMox network install running fine using Debian KVM installs, with my failover IP's using Virtual Mac addresses bridged over vmbr0.

We also need two more KVM Debian VPS's that will share the host IP via NAT..Both running FTP and Web services..

Here's our interface file:
Code:
auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address  MY.HO.ST.IP
        netmask  255.255.255.0
        gateway  MY.HO.ST.254
        broadcast  MY.HO.ST.255
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        network MY.HO.ST.0

auto vmbr1
iface vmbr1 inet manual
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0
        post-up /etc/pve/kvm-networking.sh
Question is, what would be the best way to configure the NAT side, hopefully without having to resort to proxy_arp or DNAT forwarding..

Should I create a vmbr2 and bridge it to eth0 as above but using a 10.0.0.0/8 and the running shorewall against the vm's generated on vmbr2? ie; Myatu's or Montana Linux shorewall setups..

I know there's a simple solution, but I'm having a hard time figuring it out..Thanks in advance for any help..