Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
xen on a router, iptables help needed [solved]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
qubix
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2003
Posts: 140
Location: Warsaw/Poland

PostPosted: Wed Feb 29, 2012 9:42 am    Post subject: xen on a router, iptables help needed [solved] Reply with quote

I have tried and tried and think that there is some obvious crazy detail I've missed below that I'm not able to spot. I don't believe that there is a bug.

I have a PC-router, that I thought is powerfull enough to run the mail/web/ssh/squid serwer on a xen virtual machine. The router bit is done on dom0. And I've started migrating it from 192.168.67.2 and .3 to 192.168.68.5 and .6, from a physical box to a xen domain. Below you can find the net config summary, ip routes (as I have 2 net connections) and iptables-save dump. There are two tricky parts: the ip routes stuff chooses the WAN connection basing on local IP address (so if I use 192.168.68.5 on the xen domU it goes out through WAN-TP, and through WAN-ACN if 192.168.68.6 is used) and takes care of the inbound traffic from the Internet, so it is routed correctly on it's way back. Also the xen bridge is on a dummy interface.

So the thing is, that the hosts on eth[0-4] work exactly as I want them. Traffic between the networks works, from and to the Internet as well. The iptables are a bit messy, as those have been in use and under constant modifications since 2003/2004 i suppose. I've started adding rules for the xen host on the 192.168.68.0/24 network and I ran into problems.

From the XEN domU I can:
- connect to the Internet as described below,
- SSH to the hosts in the DMZ
- SSH from the hosts in the DMZ

I cannot and would wish to with the XEN domU:
- SSH from the LAN
- SSH to the LAN (for testing, I'll change it to other services like SNMP)
- use the squid on the XEN domU from within the LAN
- access SSH on the domU from the Internet, just like it is done on the DMZ host.

Strangely, I can SSH from 192.168.0.0/24 to 192.168.68.1 (the IP of the router), so the routing works. There must be something in the iptables that I've missed.

Any help/suggestions are welcome.

Code:

##### net config

eth0   LAN      192.168.0.0/24 +alias 192.168.1.0/24
eth1   DMZ      192.168.67.0/24, hosts on .2, .3
eth2   WAN-TP   83.16.85.XX with 83.16.85.netaddr (net address) and 83.16.85.gwaddr (gw address)
eth3   WAN-ACN   62.121.121.YY
dummy0   DMZ with a bridge for XEN domUs   192.168.68.0/24, hosts on .2, .5, .6

#####     ip routes (always run at startup):

ip route add default via 62.121.123.254 table acn
ip route add default via 83.16.85.gwaddr table tpsa
ip route add 83.16.85.netaddr dev eth2 src 83.16.85.XX table tpsa
ip route add 62.121.120.0 dev eth3 src 62.121.121.YY table acn
ip route add 83.16.85.netaddr dev eth2 src 83.16.85.XX
ip route add 62.121.120.0 dev eth3 src 62.121.121.YY
ip route add default via 83.16.85.gwaddr

ip rule add from 83.16.85.XX table tpsa
ip rule add from 62.121.121.YY table acn

ip route add 192.168.0.0/24 dev eth0 table tpsa
ip route add 192.168.0.0/24 dev eth0 table acn
ip route add 192.168.1.0/24 dev eth0 table tpsa
ip route add 192.168.1.0/24 dev eth0 table acn
ip route add 192.168.67.2 dev eth1 table tpsa
ip route add 192.168.67.2 dev eth1 table acn
ip route add 127.0.0.0/8 dev lo   table tpsa
ip route add 127.0.0.0/8 dev lo   table acn
ip route add 83.16.85.netaddr dev eth2 table acn
ip route add 62.121.120.0 dev eth3  table tpsa


ip rule add from 192.168.0.0/24 table acn
ip rule add from 192.168.1.0/24 table acn
ip rule add from 192.168.67.3 table acn
ip rule add from 192.168.68.6 table acn


##### iptables-save
# Generated by iptables-save v1.4.8 on Wed Feb 29 10:18:50 2012
*nat
:PREROUTING ACCEPT [69390:6031314]
:POSTROUTING ACCEPT [35727:2279599]
:OUTPUT ACCEPT [296:21414]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.67.2:8022
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.2:80
-A PREROUTING -i eth2 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.67.2:53
-A PREROUTING -i eth2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.67.2:25
-A PREROUTING -i eth2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.67.2:995
-A PREROUTING -s 192.168.0.0/24 -d 83.16.85.XX/32 -i eth0 -j DNAT --to-destination 192.168.67.2
-A PREROUTING -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.67.2:53
-A PREROUTING -i eth2 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.67.2:993
-A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.67.2:8022
-A PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.3:80
-A PREROUTING -i eth3 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.67.3:8022
-A PREROUTING -i eth3 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.67.3:53
-A PREROUTING -i eth3 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.67.3:53
-A PREROUTING -i eth3 -p tcp -m tcp --dport 63392 -j DNAT --to-destination 192.168.67.3:63392
-A PREROUTING -i eth3 -p udp -m udp --dport 63392 -j DNAT --to-destination 192.168.67.3:63392
-A PREROUTING -s 192.168.0.0/24 -d 62.121.121.YY/32 -i eth0 -j DNAT --to-destination 192.168.67.2
-A PREROUTING ! -s 192.168.67.2/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.2:3128
-A PREROUTING -i eth3 -p tcp -m tcp --dport 8023 -j DNAT --to-destination 192.168.68.6:22
-A PREROUTING -i eth2 -p tcp -m tcp --dport 8023 -j DNAT --to-destination 192.168.68.5:22
-A POSTROUTING -s 192.168.67.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -s 192.168.67.0/24 -o eth3 -j MASQUERADE
-A POSTROUTING -s 192.168.68.0/24 -o eth3 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth3 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth3 -j MASQUERADE
-A POSTROUTING -s 192.168.68.0/24 -o eth2 -j MASQUERADE
COMMIT
# Completed on Wed Feb 29 10:18:50 2012
# Generated by iptables-save v1.4.8 on Wed Feb 29 10:18:50 2012
*filter
:INPUT DROP [4457:1042803]
:FORWARD DROP [1588:121918]
:OUTPUT ACCEPT [1365:197959]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 83.17.253.82/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.67.2/32 -p tcp -m tcp --dport 162 -j ACCEPT
-A INPUT -s 192.168.67.2/32 -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -s 192.168.67.2/32 -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -s 62.121.126.29/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.67.2/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 31.11.179.242/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 192.168.68.0/24 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 8022 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.67.0/24 -d 192.168.1.0/24 -j DROP
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.67.2/32 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.101/32 -p udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.100/32 -p udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.67.0/24 ! -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 873 -j ACCEPT
-A FORWARD -s 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.0.10/32 -j ACCEPT
-A FORWARD -s 192.168.0.79/32 -j ACCEPT
-A FORWARD -s 192.168.0.43/32 -j ACCEPT
-A FORWARD -s 192.168.0.4/32 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 8022 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.0.100/32 -j ACCEPT
-A FORWARD -s 192.168.0.101/32 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p udp -m udp --dport 63392 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 63392 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p tcp -m tcp --dport 873 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p udp -m udp --dport 873 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.67.2/32 -i eth0 -o eth1 -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -d 91.197.13.0/24 -j DROP
-A FORWARD -s 192.168.0.0/24 ! -d 91.197.13.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 3389 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 23389 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 23389 -j ACCEPT
-A FORWARD -s 192.168.0.89/32 -j ACCEPT
-A FORWARD -s 192.168.0.95/32 -j ACCEPT
-A FORWARD -s 192.168.0.69/32 -j ACCEPT
-A FORWARD -s 192.168.0.80/32 -j ACCEPT
-A FORWARD -s 192.168.0.70/32 -j ACCEPT
-A FORWARD -s 192.168.0.60/32 -j ACCEPT
-A FORWARD -s 192.168.0.53/32 -j ACCEPT
-A FORWARD -s 192.168.0.67/32 -j ACCEPT
-A FORWARD -s 192.168.0.41/32 -j ACCEPT
-A FORWARD -s 192.168.0.81/32 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.132/32 -p udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.0.33/32 -j ACCEPT
-A FORWARD -s 192.168.0.99/32 -j ACCEPT
-A FORWARD -s 192.168.0.144/32 -d 62.121.128.20/32 -j ACCEPT
-A FORWARD -s 192.168.67.2/32 -d 192.168.0.144/32 -p udp -m udp --dport 161 -j ACCEPT
-A FORWARD -s 192.168.67.0/24 -d 192.168.0.0/24 -j DROP
-A FORWARD -s 192.168.0.0/24 -d 192.168.68.0/24 -j ACCEPT
-A FORWARD -s 192.168.68.5/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.68.5/32 -d 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.68.0/24 -j ACCEPT
-A FORWARD -s 192.168.68.2/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Feb 29 10:18:50 2012

_________________
qubix


Last edited by qubix on Thu Mar 01, 2012 12:45 am; edited 1 time in total
Back to top
View user's profile Send private message
qubix
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2003
Posts: 140
Location: Warsaw/Poland

PostPosted: Thu Mar 01, 2012 12:44 am    Post subject: Reply with quote

ok, solved.

things missing:
Code:

ip route add 192.168.68.0/24 dev dummy0 table tpsa
ip route add 192.168.68.0/24 dev dummy0 table acn


and FORWARD ACCEPT for packets comming in and out of the dummy0 interface. Now I can polish it a bit, and clean up the mess. I'm motivated now. Some lines of that config remember the times when slackware used to be cool.

Strange. It seems that you need to define the interface when it comes to dummy/bridge interfaces but you don't when it comes to regular NICs.
_________________
qubix
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum