qemu bridge to local net, local net natting to wan
Joined: 15 Mar 2016
Posts: 43

PostPosted: Fri Feb 07, 2020 12:59 pm    Post subject: qemu bridge to local net, local net natting to wan

Dear forum,

mmmm this is wracking my mind. I wan't to achieve the following thing


| HOST                                          |
|                                               |
|                       NAT                     |
|    eth0  <--------------------- >   eth1      |
|      |                                |       |
|      |                     bridge     |       |
|      |      Virt. Guest <--------     |
|      |                                |       |
|      |                                |       |
-----  |------------------------------  |----
       |                                |
      WAN                            local net

On the host I would like to run a samba ADDC. It is already up and running. A samba fileshare-server should run on the Virt. Guest. This is a recommendation I've found in the Samba Wiki.

What I did achieve is the following.

1) The Samba ADDC is up and running.
2) The Samba ADDC serves only the local net.
3) The natting between eth1 and eth0 is up and running.
Right now eth0 is my wlan0 interface, but it will be replaced by an eth0 interface.
4) The local net clients do have access to the wan via natting.
4) I've installed a qemu virtual machine.

And now the trouble starts. I was able to set up a bridge between the Virtual Guest and the eth1 interface. The Virtual Guest was able to talk to the host (ping, ssh). The bridge interface got the IP which formerly belonged to eth1 interface. The Samba ADDC could still talk to my localnet clients and vice versa. One thing is not working: natting between my bridge interface and my wan interface. I've followed the gentoo home route guide to set up the natting between eth0 and eth1 without the bridge interface. Since the bridge interface now gets the ip of my eth1 interface, I thought it would be as simple as setting up the iptables rules for natting between the br0 and eth0 interface .
But this didn't work

Here comes some code. This is my network config without my VirtualGuest



dhcpcd_wlan0="-t 20 -n --nohook ntp.conf --nohook resolv.conf --nohook hostname"

config_eth1=" netmask"
routes_eth1=" via"

#wird in die /etc/resolv.conf geschrieben


/etc/init.d/iptables stop

# Zuerst löschen wir unsere aktuellen Regeln
iptables -F
iptables -t nat -F

#Richten Sie das Standardverhalten für Pakete ein, auf die keine Regel
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP

#Kopieren Sie diese Beispiele ...
export LAN=eth1
export WAN=wlan0

iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

#Dann schränken wir unsere Dienste so ein, dass sie nur im LAN arbeiten
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

#(Optional) Erlauben Sie den Zugriff auf unseren SSH-Server aus dem WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#(Optional) ntp weiterleitung
iptables -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT
#(Optional) ntp weiterleitung
iptables -I FORWARD -p udp -m udp --dport 123 -j ACCEPT

# Werfen Sie TCP/UDP-Pakete für privilegierte Ports weg
iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Schlussendlich fügen wir NAT-Regeln hinzu
iptables -I FORWARD -i ${LAN} -d "${NET}" -j DROP
iptables -A FORWARD -i ${LAN} -s "${NET}" -j ACCEPT
iptables -A FORWARD -i ${WAN} -d "${NET}" -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Sagen Sie dem Kernel, dass IP-Forwarding in Ordnung ist
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

The question is, how do I integrate the VirtualGuest OS running my Samba Fileserver in my network, which is served by eth1 interface ...... ?

Many many thanks in advance,

