Hi guys,
I have F11 on the physical box and under KVM I have virtual system where I run Apache as a web server. Physical box has two public IPs - one is used for physical box management, anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system itself has private IPs, so I have NAT configured in IPTABLES. It also means that virtual system is not aware of it's public IP and it "thinks" it has only the private IP. Also please note to make things simple - I do not have IPTABLES rules set on the virtual server - all rules are set on physical server only.
First I made SSH work so I can log-in into virtual system - it works fine. Then (using the similar rules) I configured Apache on virtual box - and it works from outside as expected.
However before I setup web application from outside successfuly, I was forced to setup a fixed URI link in my application - which I did as http://public_IP/ to make it work from outside. My (design) problem occured when I discovered that actually I cannot access my Application using public IP directly from virtual system (=from inside) - as I have no rules for this situation.
I tried to add some - but it did not work, however I'm in doubt if it can work at all:
My idea was to set the rule in PREROUTING (on the physical box) in a way that if virtual server tries to access its own public address, it will be changed back to private one and (hopefully) forwared back: I tried both of below rules (one at a time) and none really worked: iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
However now I'm in doubt if this is ever possible: - Will iptables allow packet to be forwarded back to the same interface where it was received from? - Or should I set some rules in Apache itself using mod_rewrite? (so in such a case packet won't leave the virtual machine) - Are there any risks with that when I decide to use HTTPS? (However HTTP only from inside of the virtual system and HTTPS from outside is acceptable as well)
Is there any other solution so I can access my own system from the virtual system using it's public IP?
Thank you in advance,
iaiv
On Tue, Sep 1, 2009 at 5:18 AM, jaivukjaivuk@googlemail.com wrote:
Hi guys,
I have F11 on the physical box and under KVM I have virtual system where I run Apache as a web server. Physical box has two public IPs - one is used for physical box management, anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system itself has private IPs, so I have NAT configured in IPTABLES. It also means that virtual system is not aware of it's public IP and it "thinks" it has only the private IP. Also please note to make things simple - I do not have IPTABLES rules set on the virtual server - all rules are set on physical server only.
First I made SSH work so I can log-in into virtual system - it works fine. Then (using the similar rules) I configured Apache on virtual box - and it works from outside as expected.
However before I setup web application from outside successfuly, I was forced to setup a fixed URI link in my application - which I did as http://public_IP/%C2%A0 to make it work from outside. My (design) problem occured when I discovered that actually I cannot access my Application using public IP directly from virtual system (=from inside) - as I have no rules for this situation.
Just add an IP alias to your virtual server ! I kind of eth0:1 This will solve your problem and give an answer to all your questions
I tried to add some - but it did not work, however I'm in doubt if it can work at all:
My idea was to set the rule in PREROUTING (on the physical box) in a way that if virtual server tries to access its own public address, it will be changed back to private one and (hopefully) forwared back: I tried both of below rules (one at a time) and none really worked: iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
I donk know about -m physdev sorry
iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
looks ok, but what about other FILTER rules ?
However now I'm in doubt if this is ever possible:
- Will iptables allow packet to be forwarded back to the same interface
where it was received from?
Yes
- Or should I set some rules in Apache itself using mod_rewrite? (so in such
a case packet won't leave the virtual machine)
- Are there any risks with that when I decide to use HTTPS? (However HTTP
only from inside of the virtual system and HTTPS from outside is acceptable as well)
HTTPS require a certificate
Is there any other solution so I can access my own system from the virtual system using it's public IP?
Yes use routing instead of NAT :-)
Thank you in advance,
iaiv
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines