Hi !
I have a server with Proxmox. I have an OpenVZ configuration with many VE with NAT.
But I have a problem with my network configuration !
We have an Apache on a VE (prod-web-1) and I can't get access to a domain (tutu.fr for example) hosted on this VE (using the public IP A.B.C.D) from this VE :
It's ok when we use localhost or private ip of the VE (192.168.0.101) :
It works from the node (tanenbaum) :
and from others VE (prod-bdd-1 for example) :
My configuration :
NAT :
Filter :
Ip forwarding is enabled :
Network configuration :
The routing table from the node :
I tried a lot of things but I'm still not able to have a full access to my sites from my Apache VE (prod-web-1)
Do you have an idea ?
Thanks !
Romain
I have a server with Proxmox. I have an OpenVZ configuration with many VE with NAT.
But I have a problem with my network configuration !
We have an Apache on a VE (prod-web-1) and I can't get access to a domain (tutu.fr for example) hosted on this VE (using the public IP A.B.C.D) from this VE :
Code:
root@prod-web-1:~# telnet tutu.fr 80
Trying A.B.C.D...It's ok when we use localhost or private ip of the VE (192.168.0.101) :
Code:
root@prod-web-1:~# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Code:
root@prod-web-1:~# telnet 192.168.0.101 80
Trying 192.168.0.101...
Connected to 192.168.0.101.
Escape character is '^]'.It works from the node (tanenbaum) :
Code:
root@tanenbaum:~# telnet tutu.fr 80
Trying A.B.C.D...
Connected to tutu.fr.
Escape character is '^]'.and from others VE (prod-bdd-1 for example) :
Code:
root@prod-bdd-1:~# telnet tutu.fr 80
Trying A.B.C.D...
Connected to tutu.fr.
Escape character is '^]'.My configuration :
NAT :
Code:
root@tanenbaum:~# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 69 packets, 4311 bytes)
pkts bytes target prot opt in out source destination
86 4584 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:http to:192.168.0.101:80
0 0 DNAT tcp -- eth0 any anywhere srv1.toto.fr tcp dpt:ftp to:192.168.0.101:21
0 0 DNAT tcp -- eth0 any anywhere srv1.toto.fr tcp dpts:4242:4300 to:192.168.0.101
Chain POSTROUTING (policy ACCEPT 247 packets, 27946 bytes)
pkts bytes target prot opt in out source destination
13 819 SNAT all -- any any 192.168.0.0/24 !192.168.0.0/24 to:A.B.C.D
Chain OUTPUT (policy ACCEPT 117 packets, 20722 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:http to:192.168.0.101:80
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:ftp to:192.168.0.101:21
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpts:4242:4300 to:192.168.0.101Filter :
Code:
root@tanenbaum:~# iptables -L -v
Chain INPUT (policy DROP 3 packets, 152 bytes)
pkts bytes target prot opt in out source destination
44 3710 ACCEPT all -- lo any anywhere anywhere
437 34317 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:6984 state NEW
0 0 ACCEPT tcp -- eth0 any cache.ovh.net anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8006 state NEW
12 952 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any torvalds.toto.fr anywhere tcp dpt:mysql state NEW
0 0 ACCEPT all -- any any 192.168.0.0/24 anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15265 9481K ACCEPT all -- any any 192.168.0.0/24 anywhere
1714 568K ACCEPT all -- any any anywhere 192.168.0.0/24
Chain OUTPUT (policy ACCEPT 156 packets, 26429 bytes)
pkts bytes target prot opt in out source destination
44 3710 ACCEPT all -- any lo anywhere anywhere
415 156K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHEDIp forwarding is enabled :
Code:
root@tanenbaum:~# cat /proc/sys/net/ipv4/ip_forward
1Network configuration :
Code:
root@tanenbaum:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address E.F.G.H
netmask 255.255.255.0
network E.F.G.0
broadcast E.F.G.255
gateway E.F.G.254
# IP Failover
post-up /sbin/ifconfig eth0:0 A.B.C.D netmask 255.255.255.255 broadcast A.B.C.D
post-down /sbin/ifconfig eth0:0 down
post-up /sbin/ifconfig eth0:1 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
post-down /sbin/ifconfig eth0:1 downThe routing table from the node :
Code:
root@tanenbaum:~# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
prod-infra-1 * 255.255.255.255 UH 0 0 0 venet0
bck-bdd-1 * 255.255.255.255 UH 0 0 0 venet0
prod-bdd-1 * 255.255.255.255 UH 0 0 0 venet0
prod-mail-1 * 255.255.255.255 UH 0 0 0 venet0
prod-web-1 * 255.255.255.255 UH 0 0 0 venet0
E.F.G.0 * 255.255.255.0 U 0 0 0 eth0
default E.F.G.254 0.0.0.0 UG 0 0 0 eth0I tried a lot of things but I'm still not able to have a full access to my sites from my Apache VE (prod-web-1)
Do you have an idea ?
Thanks !
Romain