Sorry. I forgot about routes on the host machine: host:~# ip rou 192.168.100.0/24 dev tap0 proto kernel scope link src 192.168.100.2 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254 192.168.200.0/24 via 192.168.100.1 dev tap0 default via 192.168.0.1 dev eth0
On Thu, Feb 03, 2011 at 04:26:29PM +0300, Oleg wrote: > Hi. > > I have a strange behaviour of iptables nat. I use several kvm instances on > my host machine in the next configuration: > > > INET <-- (eth0)[host](tap0) <-- [kvm1] <-- [kvm2] > > another view: > > INET > ^ > | > 192.168.0.178/24 > [host] > 192.168.100.2/24 > ^ > | > 192.168.100.1/24 > [kvm1] > 192.168.200.1/24 > ^ > | > 192.168.200.2/24 > [kvm2] > > > host has next configuration: > > host:~# iptables -V > iptables v1.4.10 > host:~# uname -r > 2.6.36.3-kvm64 > host:~# cat /etc/issue > Debian GNU/Linux 5.0 \n \l > > host:~# cat /proc/sys/net/ipv4/ip_forward > 1 > > host:~# iptables-save > # Generated by iptables-save v1.4.10 on Thu Feb 3 15:53:45 2011 > *nat > :PREROUTING ACCEPT [158:19117] > :INPUT ACCEPT [142:17947] > :OUTPUT ACCEPT [1273:77619] > :POSTROUTING ACCEPT [23:1515] > -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Thu Feb 3 15:53:45 2011 > # Generated by iptables-save v1.4.10 on Thu Feb 3 15:53:45 2011 > *filter > :INPUT ACCEPT [41870:22423799] > :FORWARD ACCEPT [1111:78128] > :OUTPUT ACCEPT [40741:4677024] > COMMIT > # Completed on Thu Feb 3 15:53:45 2011 > > host:~# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP > qlen 1000 > link/ether 00:1c:23:9f:8f:7a brd ff:ff:ff:ff:ff:ff > inet 192.168.0.178/24 brd 192.168.0.255 scope global eth0 > inet6 fe80::21c:23ff:fe9f:8f7a/64 scope link > valid_lft forever preferred_lft forever > 3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 > link/ether 00:1c:26:ac:50:fd brd ff:ff:ff:ff:ff:ff > 4: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 500 > link/ether 86:15:91:d2:a7:dd brd ff:ff:ff:ff:ff:ff > inet 192.168.100.2/24 scope global tap0 > inet6 fe80::8415:91ff:fed2:a7dd/64 scope link > valid_lft forever preferred_lft forever > 5: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 500 > link/ether 8e:ab:8b:d0:3e:bd brd ff:ff:ff:ff:ff:ff > inet6 fe80::8cab:8bff:fed0:3ebd/64 scope link > valid_lft forever preferred_lft forever > 10: tap4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 500 > link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff > inet6 fe80::5823:72ff:fed4:412f/64 scope link > valid_lft forever preferred_lft forever > 12: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state > UNKNOWN > link/ether 5a:23:72:d4:41:2f brd ff:ff:ff:ff:ff:ff > inet6 fe80::5823:72ff:fed4:412f/64 scope link > valid_lft forever preferred_lft forever > > host:~# brctl show > bridge name bridge id STP enabled interfaces > br0 8000.5a2372d4412f no tap2 > tap4 > > kvm1 link with host through tap0 and with kvm2 through tap2(br0). kvm2 link > with kvm1 through tap4(br0). > > kvm1 configuration: > > kvm1:~# cat /proc/sys/net/ipv4/ip_forward > 1 > > kvm1:~# iptables-save > iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file > or directory > > kvm1:~# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 1000 > link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff > inet 192.168.100.1/24 brd 192.168.100.255 scope global eth0 > inet6 fe80::5054:ff:fe12:3456/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 1000 > link/ether 54:52:00:12:34:57 brd ff:ff:ff:ff:ff:ff > inet 192.168.200.1/24 brd 192.168.200.255 scope global eth1 > inet6 fe80::5652:ff:fe12:3457/64 scope link > valid_lft forever preferred_lft forever > > kvm1:~# ip rou > 192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.1 > 192.168.200.0/24 dev eth1 proto kernel scope link src 192.168.200.1 > default via 192.168.100.2 dev eth0 > > > kvm2 configuration: > > kvm2:~# iptables-save > iptables-save v1.4.2: Unable to open /proc/net/ip_tables_names: No such file > or directory > > kvm2:~# ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UNKNOWN qlen 1000 > link/ether 54:52:00:12:34:60 brd ff:ff:ff:ff:ff:ff > inet 192.168.200.2/24 brd 192.168.200.255 scope global eth0 > inet6 fe80::5652:ff:fe12:3460/64 scope link > valid_lft forever preferred_lft forever > > kvm2:~# ip rou > 192.168.200.0/24 dev eth0 proto kernel scope link src 192.168.200.2 > default via 192.168.200.1 dev eth0 > > > When I ping from kvm1 everything is ok: > > host:~# grep 192.168.100.1 /proc/net/ip_conntrack > icmp 1 19 src=192.168.100.1 dst=8.8.8.8 type=8 code=0 id=20486 > src=8.8.8.8 dst=192.168.0.178 type=0 code=0 id=20486 mark=0 secmark=0 use=2 > > But when I ping from kvm2 packets is not nated: > > host:~# grep 192.168.200.2 /proc/net/ip_conntrack > icmp 1 22 src=192.168.200.2 dst=8.8.8.8 type=8 code=0 id=62469 > [UNREPLIED] src=8.8.8.8 dst=192.168.200.2 type=0 code=0 id=62469 mark=0 > secmark=0 use=2 > > I use accounting rules and see that packets from 192.168.200.2 doesn't reach > nat POSTROUTING chain: > > ~# iptables-save -c > # Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011 > *mangle > :PREROUTING ACCEPT [32:2252] > :INPUT ACCEPT [2:152] > :FORWARD ACCEPT [20:1400] > :OUTPUT ACCEPT [1:45] > :POSTROUTING ACCEPT [21:1445] > [10:840] -A FORWARD -s 192.168.200.2/32 > COMMIT > # Completed on Thu Feb 3 16:24:09 2011 > # Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011 > *nat > :PREROUTING ACCEPT [2:196] > :INPUT ACCEPT [1:112] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [1:84] > [0:0] -A POSTROUTING -s 192.168.200.2/32 -o eth0 -j MASQUERADE > [0:0] -A POSTROUTING -o eth0 -j MASQUERADE > COMMIT > # Completed on Thu Feb 3 16:24:09 2011 > # Generated by iptables-save v1.4.10 on Thu Feb 3 16:24:09 2011 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [20:1400] > :OUTPUT ACCEPT [0:0] > [10:840] -A FORWARD -s 192.168.200.2/32 > COMMIT > # Completed on Thu Feb 3 16:24:09 2011 > > > I tried 2.6.32.28 with same result :-(. > Any ideas? > > Thanks. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20110203132629.GA9723@debian > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110204124239.GA7660@debian
