Hello, berenger.mo...@neutralite.org a écrit : > > I am trying to build a virtual network exposing servers accessible from > the LAN. [...] > So I ask for 2 things: > _ help on this particular problem > _ if someone knows about resources to learn and understand how exactly > iptables work, this would help me a lot in the future
- Oskar Andreasson's iptables tutorial. - netfilter and iptables articles in Wikipedia. > For my particular problem. > > I have an eth0 interface, the real one, on ip 172.20.14.0/24. > I made a vlan in my /etc/network/interfaces, like this: > ############################## > auto eth0.1 > iface eth0.1 inet static > address 10.10.10.1 > netmask 255.255.255.0 > vlan-raw-device eth0 > ############################## What is the purpose of this VLAN ? > In fact, I used the package vlan and some configuration inside > /etc/network/interface of the host to have the host having a virtual > second ethernet connexion, on which the VMs are connected. > In the facts, there are 2 LANs, with the host computer being the > router. A VLAN interface is not a virtual ethernet interface for communicating with VMs. It is a sub-interface which transmits and receives ethernet frames with a given IEEE 802.1Q tag. Usually the VM managers such as virtualbox create their own virtual interface(s) on the host to communicate with the VMs. > On that network, I have some VMs with static IPs, and the one on which > I try to make the configuration for testing and learning purpose have an > apache2 server running and up ( I can query on it from my physical > computer ). It is using 2 network interfaces, a NAT one and a bridge > one, but for others I would like to remove the NAT one, since I need > them to simulate the production servers ( which are VMs too, but my > company does not control the system on which they are running. Otherwise > it would have be far easier: I would have read how it does to understand > things ) which only have one interface ( eth0 ). > > Both LANs ( the physical one and the virtual one ) works perfectly, but > now I would like to allow 2 things: > _ VMs to access the physical LAN, so that they could access the apt > proxy I have installed there for installing softwares and updates - Enable IP forwarding on the host acting as a router. # sysctl -w net.ipv4.ip_forward=1 - Presumably, you need to masquerade forwarded packets from VMs to the physical LAN if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > _ physical computers accessing VMs through some ports of my computer. > For example, redirecting "172.20.14.XX:80" to "10.10.10.30:80". I will > do that port forwarding for ssh ( port 22 ), http ( port 80 ) and > postgresql ( port 5432 ) connections in a first time. - You need port forwarding only if the physical hosts or their router doesn't have a route to your virtual LAN. # iptables -t nat -A PREROUTING -i eth0 -d 172.20.14.XX \ -p tcp --dport 80 -j DNAT --to 10.10.10.30 (and so on for each port) > And to add to the fun, I remember having discovered after several hours > last week that the port forwarding rules I built did not allowed the > host computer to access the VM, at least, not when asking on host'IP ( > aka 172.20.14.XX ). - For this you need to do the port forwarding on locally generated packets. # iptables -t nat -A OUTPUT -d 172.20.14.XX -p tcp --dport 80 \ -j DNAT --to 10.10.10.30 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53866aa0.2070...@plouf.fr.eu.org
