Hi,
I have a (KVM) windows server 2008 guest and I cannot connect to it from a public IP.
The host has a single eth0 (94.....) but there are a number of other IP addresses mapped (91....) which are configured via eth0:0 aliases (i.e. eth0:0, eth0:1 etc.)
There are a number of openvz containers with internal IPs (10....) and I use shorewall (http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/) to route the traffic. This works fine, but I just cannot achieve the same thing with KVM.
Things I have tried:
- using vmbr0 with a 10... IP address with the eth0 as the gateway (netmask 255.255.255.255)
- using vmbr0 with the public address (91...), obviously the 91.. address isn't mapped to eth0:X
I have the tried the same with NAT. In addition I tried NAT with DHCP and it received a 10.0.2.X IP (from proxmox I assume - there is no dhcp server running anywhere else!). I then mapped the 91... address to eth0:X and tried a port forward, but no luck.
I am running out of ideas. I realise I have a custom setup with the firewall, but I just don't get what to do
Relevant configuration files (this is from the host with 2 openvz contains and 1 KVM machine):
ifconfig:
shorewall zones:
shorewall interfaces:
shorewall policy:
shorewall rules
shorewall masq
I have a (KVM) windows server 2008 guest and I cannot connect to it from a public IP.
The host has a single eth0 (94.....) but there are a number of other IP addresses mapped (91....) which are configured via eth0:0 aliases (i.e. eth0:0, eth0:1 etc.)
There are a number of openvz containers with internal IPs (10....) and I use shorewall (http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/) to route the traffic. This works fine, but I just cannot achieve the same thing with KVM.
Things I have tried:
- using vmbr0 with a 10... IP address with the eth0 as the gateway (netmask 255.255.255.255)
- using vmbr0 with the public address (91...), obviously the 91.. address isn't mapped to eth0:X
I have the tried the same with NAT. In addition I tried NAT with DHCP and it received a 10.0.2.X IP (from proxmox I assume - there is no dhcp server running anywhere else!). I then mapped the 91... address to eth0:X and tried a port forward, but no luck.
I am running out of ideas. I realise I have a custom setup with the firewall, but I just don't get what to do
Relevant configuration files (this is from the host with 2 openvz contains and 1 KVM machine):
ifconfig:
Code:
dummy0 Link encap:Ethernet HWaddr 0a:7d:57:9a:86:29
inet6 addr: fe80::87d:57ff:fe9a:8629/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:1356 (1.3 KiB)
eth0 Link encap:Ethernet HWaddr 00:1c:c0:ee:c9:e8
inet addr:94.X.X.X Bcast:94.23.224.255 Mask:255.255.255.0
inet6 addr: fe80::21c:c0ff:feee:c9e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:101668 errors:0 dropped:0 overruns:0 frame:0
TX packets:78707 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:104430339 (99.5 MiB) TX bytes:60058805 (57.2 MiB)
eth0:0 Link encap:Ethernet HWaddr 00:1c:c0:ee:c9:e8
inet addr:91.X.X.X Bcast:91.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:1 Link encap:Ethernet HWaddr 00:1c:c0:ee:c9:e8
inet addr:91.X.X.X Bcast:91.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:2 Link encap:Ethernet HWaddr 00:1c:c0:ee:c9:e8
inet addr:91.X.X.X Bcast:91.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:3 Link encap:Ethernet HWaddr 00:1c:c0:ee:c9:e8
inet addr:X.X.X Bcast:91.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2035 errors:0 dropped:0 overruns:0 frame:0
TX packets:2035 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:357512 (349.1 KiB) TX bytes:357512 (349.1 KiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:54 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8924 (8.7 KiB) TX bytes:2724 (2.6 KiB)
vmbr0 Link encap:Ethernet HWaddr 0a:7d:57:9a:86:29
inet addr:94.X.X.X Bcast:94.23.224.255 Mask:255.255.255.0
inet6 addr: fe80::87d:57ff:fe9a:8629/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:468 (468.0 B)shorewall zones:
Code:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4shorewall interfaces:
Code:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridgeshorewall policy:
Code:
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info 1/sec:2
# From Net Policy
net fw DROP info 1/sec:2
net dmz DROP info 8/sec:30
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT infoshorewall rules
Code:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw tcp 443,5900
# PING Rules
Ping/ACCEPT all all
#wiki
DNAT net dmz:10.0.1.1 tcp 22 - 91.X.X.X
DNAT net dmz:10.0.1.1 tcp 80 - 91.X.X.X
DNAT net dmz:10.0.1.1 tcp 443 - 91.X.X.X
#blog
DNAT net dmz:10.0.1.2 tcp 22 - 91.X.X.X
DNAT net dmz:10.0.1.2 tcp 80 - 91.X.X.X
DNAT net dmz:10.0.1.2 tcp 443 - 91.X.X.X
#bob (this is the one that isn't working!!!)
#DNAT net dmz:10.0.2.15 tcp - - 91.X.X.X
# LAST LINE -- DO NOT REMOVEshorewall masq
Code:
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 10.0.0.0/8
# LAST LINE -- DO NOT REMOVE
Last edited: