View Single Post
Old 14th November 2012, 14:50
eko_taas eko_taas is offline
Join Date: Feb 2011
Posts: 92
Thanks: 2
Thanked 12 Times in 10 Posts
Question iptables PREROUTING on ISPC3 and OpenVZ


System: Debian Squeeze (node+VMs) + OpenVZ + 2xISPC3 (, one VM-node and ISPC3 others) close to HowTos
(all with default ports)
All good on intranet... but.....

Long time back I started to use Pre-routing for external ports to have 2+ (physical) machines running under same IP:

Now I have tried to replicate idea to VMs, but phasing interesting problem - OpenVZ seems to forward my request to wrong IP (always node).

- ADSL-Router Port forward
5000-5099 => (node)
5100-5199 => (1st VM for ISPC3)

My idea was to Pre-route ports to original at high level (Node Firewall pre-chain), so I added to Node's firewall /etc/Bastille/firewall.d/ test rules as root:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5002 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5003 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5102 -j REDIRECT --to-ports 22
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 5103 -j REDIRECT --to-ports 8080
and then restarted firewall
/etc/init.d/bastille-firewall restart
Now on client, all OK with
ssh -p 5002
but when
ssh -p 5102
no success. but I changing user name
ssh -p 5102
i.e. I logged in to Node, not to Server

Same for ISPConfig3-console, all (ment for Server goes to Node).

I tried to look into OpenVZ-wiki, but could not find yet Pre-routing advice
Also if I go ahead with "Setting up a HN-based firewall"-way, any special things I have to consider due ISPC3? Obviously VM-conf:s have to be cerated manually (which I wanted to avoid by using above shortcut).
Reply With Quote
Sponsored Links