Hi.
I have a strange behaviour of iptables nat. I use several kvm instances on
my host machine in the next configuration:
INET <-- (eth0)[host](tap0) <-- [kvm1] <-- [kvm2]
another view:
INET
^
|
192.168.0.178/24
[host]
192.168.100.2/24
^
|
192.168.100.1/24
[kvm1]
192.168.200.1/24
^
|
192.168.200.2/24
[kvm2]
host has next configuration:
host:~# iptables -V
iptables v1.4.10
host:~# uname -r
2.6.36.3-kvm64
host:~# cat /etc/issue
Debian GNU/Linux 5.0 \n \l
host:~# cat /proc/sys/net/ipv4/ip_forward
1
host:~# iptables-save
# Generated by iptables-save v1.4.10 on Thu Feb 3 15:53:45 2011
*nat
:PREROUTING ACCEPT [158:19117]
:INPUT ACCEPT [142:17947]
:OUTPUT ACCEPT [1273:77619]
:POSTROUTING ACCEPT [23:1515]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 3 15:53:45 2011
# Generated by iptables-save v1.4.10 on Thu Feb 3 15:53:45 2011
*filter
:INPUT ACCEPT [41870:22423799]
:FORWARD ACCEPT [1111:78128]
:OUTPUT ACCEPT [40741:4677024]
COMMIT
# Completed on Thu Feb 3 15:53:45 2011
host:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 00:1c:23:9f:8f:7a brd ff:ff:ff:ff:ff:ff
inet 192.168.0.178/24 brd 192.168.0.255 scope global eth0
inet6 fe80::21c:23ff:fe9f:8f7a/64 scope link
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:1c:26:ac:50:fd brd ff:ff:ff:ff:ff:ff
4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 500
link/ether 86:15:91:d2:a7:dd brd ff:ff:ff:ff:ff:ff
inet 192.168.100.2/24 scope global tap0
inet6 fe80::8415:91ff:fed2:a7dd/64 scope link
valid_lft forever preferred_lft forever
5: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 500
link/ether 8e:ab:8b:d0:3e:bd brd ff:ff:ff:ff:ff:ff
inet6 fe80::8cab:8bff:fed0:3ebd/64 scope link
valid_lft forever preferred_lft forever
10: tap4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 500
link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
inet6 fe80::5823:72ff:fed4:412f/64 scope link
valid_lft forever preferred_lft forever
12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff
inet6 fe80::5823:72ff:fed4:412f/64 scope link
valid_lft forever preferred_lft forever
host:~# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.5a2372d4412f no tap2
tap4
kvm1 link with host through tap0 and with kvm2 through tap2(br0). kvm2 link
with kvm1 through tap4(br0).
kvm1 configuration:
kvm1:~# cat /proc/sys/net/ipv4/ip_forward
1
kvm1:~# iptables-save
iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or
directory
kvm1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0
inet6 fe80::5054:ff:fe12:3456/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 54:52:00:12:34:57 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.1/24 brd 192.168.200.255 scope global eth1
inet6 fe80::5652:ff:fe12:3457/64 scope link
valid_lft forever preferred_lft forever
kvm1:~# ip rou
192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.1
192.168.200.0/24 dev eth1 proto kernel scope link src 192.168.200.1
default via 192.168.100.2 dev eth0
kvm2 configuration:
kvm2:~# iptables-save
iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file or
directory
kvm2:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
link/ether 54:52:00:12:34:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.2/24 brd 192.168.200.255 scope global eth0
inet6 fe80::5652:ff:fe12:3460/64 scope link
valid_lft forever preferred_lft forever
kvm2:~# ip rou
192.168.200.0/24 dev eth0 proto kernel scope link src 192.168.200.2
default via 192.168.200.1 dev eth0
When I ping from kvm1 everything is ok:
host:~# grep 192.168.100.1 /proc/net/ip_conntrack
icmp 1 19 src=192.168.100.1 dst=8.8.8.8 type=8 code=0 id=20486 src=8.8.8.8
dst=192.168.0.178 type=0 code=0 id=20486 mark=0 secmark=0 use=2
But when I ping from kvm2 packets is not nated:
host:~# grep 192.168.200.2 /proc/net/ip_conntrack
icmp 1 22 src=192.168.200.2 dst=8.8.8.8 type=8 code=0 id=62469 [UNREPLIED]
src=8.8.8.8 dst=192.168.200.2 type=0 code=0 id=62469 mark=0 secmark=0 use=2
I use accounting rules and see that packets from 192.168.200.2 doesn't reach
nat POSTROUTING chain:
~# iptables-save -c
# Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011
*mangle
:PREROUTING ACCEPT [32:2252]
:INPUT ACCEPT [2:152]
:FORWARD ACCEPT [20:1400]
:OUTPUT ACCEPT [1:45]
:POSTROUTING ACCEPT [21:1445]
[10:840] -A FORWARD -s 192.168.200.2/32
COMMIT
# Completed on Thu Feb 3 16:24:09 2011
# Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011
*nat
:PREROUTING ACCEPT [2:196]
:INPUT ACCEPT [1:112]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [1:84]
[0:0] -A POSTROUTING -s 192.168.200.2/32 -o eth0 -j MASQUERADE
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 3 16:24:09 2011
# Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [20:1400]
:OUTPUT ACCEPT [0:0]
[10:840] -A FORWARD -s 192.168.200.2/32
COMMIT
# Completed on Thu Feb 3 16:24:09 2011
I tried 2.6.32.28 with same result :-(.
Any ideas?
Thanks.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110203132629.GA9723@debian
