Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
qemu bridge to local net, local net natting to wan
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
blubberbaer
n00b
n00b


Joined: 15 Mar 2016
Posts: 43

PostPosted: Fri Feb 07, 2020 12:59 pm    Post subject: qemu bridge to local net, local net natting to wan Reply with quote

Dear forum,

mmmm this is wracking my mind. I wan't to achieve the following thing

Code:

 -----------------------------------------------
| HOST                                          |
|                                               |
|                       NAT                     |
|    eth0  <--------------------- >   eth1      |
|      |                                |       |
|      |                     bridge     |       |
|      |      Virt. Guest <--------     |
|      |                                |       |
|      |                                |       |
-----  |------------------------------  |----
       |                                |
      WAN                            local net



On the host I would like to run a samba ADDC. It is already up and running. A samba fileshare-server should run on the Virt. Guest. This is a recommendation I've found in the Samba Wiki.

What I did achieve is the following.

1) The Samba ADDC is up and running.
2) The Samba ADDC serves only the local net.
3) The natting between eth1 and eth0 is up and running.
Right now eth0 is my wlan0 interface, but it will be replaced by an eth0 interface.
4) The local net clients do have access to the wan via natting.
4) I've installed a qemu virtual machine.


And now the trouble starts. I was able to set up a bridge between the Virtual Guest and the eth1 interface. The Virtual Guest was able to talk to the host (ping, ssh). The bridge interface got the IP which formerly belonged to eth1 interface. The Samba ADDC could still talk to my localnet clients and vice versa. One thing is not working: natting between my bridge interface and my wan interface. I've followed the gentoo home route guide https://wiki.gentoo.org/wiki/Home_router to set up the natting between eth0 and eth1 without the bridge interface. Since the bridge interface now gets the ip of my eth1 interface, I thought it would be as simple as setting up the iptables rules for natting between the br0 and eth0 interface .
But this didn't work

Here comes some code. This is my network config without my VirtualGuest

net.conf
Code:

modules_wlan0="wpa_supplicant"
wpa_supplicant_wlan0=""

config_wlan0="dhcp"
dhcpcd_wlan0="-t 20 -n --nohook ntp.conf --nohook resolv.conf --nohook hostname"

config_eth1="10.20.40.254 netmask 255.255.255.0"
routes_eth1="10.20.40.0/24 via 10.20.40.254"

#wird in die /etc/resolv.conf geschrieben
#dns_servers_eth1="10.20.40.254"
#dns_search_eth0="xx.yyyy"


enable_natting_script
Code:

#!/bin/bash
 
/etc/init.d/iptables stop

# Zuerst löschen wir unsere aktuellen Regeln
iptables -F
iptables -t nat -F

#Richten Sie das Standardverhalten für Pakete ein, auf die keine Regel
#zutrifft
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#Kopieren Sie diese Beispiele ...
export LAN=eth1
export WAN=wlan0
NET="10.20.40.0/255.255.255.0"

#ntp
iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

#Dann schränken wir unsere Dienste so ein, dass sie nur im LAN arbeiten
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

#(Optional) Erlauben Sie den Zugriff auf unseren SSH-Server aus dem WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#(Optional) ntp weiterleitung
iptables -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
#(Optional) ntp weiterleitung
iptables -I FORWARD -p udp -m udp --dport 123 -j ACCEPT

# Werfen Sie TCP/UDP-Pakete für privilegierte Ports weg
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Schlussendlich fügen wir NAT-Regeln hinzu
iptables -I FORWARD -i ${LAN} -d "${NET}" -j DROP
iptables -A FORWARD -i ${LAN} -s "${NET}" -j ACCEPT
iptables -A FORWARD -i ${WAN} -d "${NET}" -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Sagen Sie dem Kernel, dass IP-Forwarding in Ordnung ist
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done


The question is, how do I integrate the VirtualGuest OS running my Samba Fileserver in my network, which is served by eth1 interface ...... ?


Many many thanks in advance,

blubberbaer
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum