[Firewall] NAT forward issue

Emmanuel Revah stsil at manurevah.com
Tue May 21 18:05:54 CEST 2013


Hi,


I have a hard to explain situation, in short I have a server that hosts 
virtual machines, it has arno-iptables-firewall. I just upgraded from 
the distro's version of it to the latest one, 2.0.1d. The host has a few 
forwarding rules to run services on VMs that only have LAN IPs. There 
are also VMs with public IPs.

The problem is when a VM with a public IP wants to reach an external 
server using any port that has been configured on the host to be 
forwarded to the LAN. There's no issues for all other ports.


For a hopefully clearer picture with the example using port 80:


Host server [Public_IP_1 + LAN_IP_1]
NAT_FORWARD_TCP  80>10.0.0.10



Guest server 1 [Public_IP_2 + LAN_IP_2]
- This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10) 
- connection hangs a bit
- This machine can reach 10.0.0.10 80
- This machine can NOT reach Some_Other_Public_IP_1 80, instead this is 
redirected to 10.0.0.10 by the host <- this is the problem
- In most cases traffic appears to come from Public_IP_2 (except for LAN 
connecton)



Guest server 2 [LAN_IP_3]
- This machine can reach Public_IP_1 80 (it is redirected to 10.0.0.10)
- This machine can reach 10.0.0.10 80
- This machine can reach Some_Other_Public_IP_1 80
- In all cases traffic appears to come from Public_IP_1 (except for LAN 
connecton)


I have "Guest server 3" which only has a public IP and has the same 
issues as Guest 1 (except that it's not on the LAN).



If anyone knows what I'm be doing wrong or any other clues it would be 
greatly appreciated.





-- 
Emmanuel Revah
http://manurevah.com



More information about the Firewall mailing list