HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   iptables PREROUTING on ISPC3 and OpenVZ (http://www.howtoforge.com/forums/showthread.php?t=59563)

eko_taas 14th November 2012 14:50

iptables PREROUTING on ISPC3 and OpenVZ
 
Hi,

System: Debian Squeeze (node+VMs) + OpenVZ + 2xISPC3 (3.0.4.6, one VM-node and ISPC3 others) close to HowTos
http://www.howtoforge.com/installing...g-3-debian-6.0
http://www.howtoforge.com/virtual-mu...th-ispconfig-3
(all with default ports)
All good on intranet... but.....

Long time back I started to use Pre-routing for external ports to have 2+ (physical) machines running under same IP:
http://www.howtoforge.com/forums/showthread.php?t=55180

Now I have tried to replicate idea to VMs, but phasing interesting :eek: problem - OpenVZ seems to forward my request to wrong IP (always node).

- ADSL-Router Port forward
5000-5099 => 192.168.xxx.1 (node)
5100-5199 => 192.168.xxx.2 (1st VM for ISPC3)
etc.

My idea was to Pre-route ports to original at high level (Node Firewall pre-chain), so I added to Node's firewall /etc/Bastille/firewall.d/pre-chain-split.sh test rules as root:

Quote:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5002 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5003 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5102 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5103 -j REDIRECT --to-ports 8080
and then restarted firewall
Quote:

/etc/init.d/bastille-firewall restart
Now on client, all OK with
Quote:

ssh -p 5002 nodeuser@example.com
but when
Quote:

ssh -p 5102 serveruser@example.com
no success. but I changing user name
Quote:

ssh -p 5102 nodeuser@example.com
i.e. I logged in to Node, not to Server

Same for ISPConfig3-console, all https://example.com:5103 (ment for Server goes to Node).

I tried to look into OpenVZ-wiki, but could not find yet Pre-routing advice
http://wiki.openvz.org/Setting_up_an_iptables_firewall
Also if I go ahead with "Setting up a HN-based firewall"-way, any special things I have to consider due ISPC3? Obviously VM-conf:s have to be cerated manually (which I wanted to avoid by using above shortcut).

till 14th November 2012 15:05

Quote:

any special things I have to consider due ISPC3?
No, ispconfig does not setup or manage iptables except of the bastille firewall script which is a simpleport based firewall (and is disabled by default) and fail2ban which uses iptables to block attacks.

eko_taas 23rd November 2012 17:31

still canīt get it running
 
Getting bit desperate, have tried to look thru several HowTo with google, but most of the talking about CTs without IP (which I have, but only one public-IP, thus redirect needed to use several servers for same (isolated) service)

e.g. http://www.linuxweblog.com/blogs/san...nvz-containers
(instead of "/etc/sysconfig/vz" edited "/etc/vz/vz.conf" with similar line
Also OpenVZ wiki looked thru....

Now (even if I tried to return all to org), pre-chain-split.sh does not forward eveno to node
Quote:

ssh -p 5002 nodeuser@example.com
Has anyone found good HowTo / wiki to solve this? Any help would be appreciated...


All times are GMT +2. The time now is 09:28.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.