NAT with iptables to Xen DomU
I am trying to forward packets arriving on the host machine to a virtual machine. Current aim is to forward xxx.xxx.xxx.xxx:3022 to the vm 192.168.10.2:22.
I tried adding the following rules through the commandline, but without luck:
iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -i routed0 --dport 3022 -j DNAT --to 192.168.10.2:22
iptables -A FORWARD -p tcp -i routed0 -d 192.168.10.2 --dport 3022 -j ACCEPT
I think this could be because of a previous rule. Here’s the output of iptables-save, including all the rules Xen has generated:
*nat 
REROUTING ACCEPT [1299:340167] OSTROUTING ACCEPT [703:144619]
:OUTPUT ACCEPT [5:390]
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.10.0/24 ! -d 192.168.10.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.30.0/27 ! -d 192.168.30.0/27 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.30.0/27 ! -d 192.168.30.0/27 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.30.0/27 ! -d 192.168.30.0/27 -j MASQUERADE
COMMIT*filter
:INPUT ACCEPT [2554:538140]
:FORWARD ACCEPT [105104:11434430]
:OUTPUT ACCEPT [900:115541]
-A INPUT -i nat-internal -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i nat-internal -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i nat-internal -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i nat-internal -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i nat-t1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i nat-t1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i nat-t1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i nat-t1 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i routed175 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i routed175 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i routed175 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i routed175 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif59.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif59.0 -j ACCEPT
-A FORWARD -d 192.168.10.0/24 -o nat-internal -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -i nat-internal -j ACCEPT
-A FORWARD -i nat-internal -o nat-internal -j ACCEPT
-A FORWARD -o nat-internal -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i nat-internal -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif57.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif57.0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif37.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif37.0 -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -d 192.168.30.0/27 -i eth0 -m policy --dir in --pol ipsec --reqid 16385 --proto esp -j ACCEPT
-A FORWARD -s 192.168.30.0/27 -d 10.10.0.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 16385 --proto esp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif36.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif36.0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif31.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif31.0 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.30.0/27 -o nat-t1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.30.0/27 -i nat-t1 -j ACCEPT
-A FORWARD -i nat-t1 -o nat-t1 -j ACCEPT
-A FORWARD -o nat-t1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i nat-t1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -m physdev --physdev-out vif18.0 -j ACCEPT
-A FORWARD -m physdev --physdev-in vif18.0 -j ACCEPT
-A FORWARD -d xxx.xxx.xxx.xxx/32 -i eth0 -o routed175 -j ACCEPT
-A FORWARD -s xxx.xxx.xxx.xxx/32 -i routed175 -o eth0 -j ACCEPT
-A FORWARD -i routed175 -o routed175 -j ACCEPT
-A FORWARD -o routed175 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i routed175 -j REJECT --reject-with icmp-port-unreachable
COMMIT
Can someone point me into the right direction?
Your FORWARD rule looks weird. By the time your packet arrives to FORWARD table, it should have destination 192.168.10.2:22, but you’re testing it for 192.168.10.2:3022.
Check more discussion of this question.
No related posts.
Leave a comment
Recent Posts
Tags
active-directory
amazon-ec2
apache
apache2
backup
bash
centos
cisco
command-line
debian
dns
email
exchange
firewall
iis
iis7
iptables
linux
macosx
monitoring
mysql
networking
nginx
performance
permissions
php
postfix
raid
security
sql-server
sql-server-2005
sql-server-2008
ssh
ssl
ubuntu
unix
virtualization
vpn
webserver
windows
windows-7
windows-server-2003
windows-server-2008
windows-server-2008-r2
windows-xp