Web server on virtual box - iptables design question

jaivuk jaivuk at googlemail.com
Tue Sep 1 03:18:38 UTC 2009 

Hi guys,

I have F11 on the physical box and under KVM I have virtual system where I
run Apache as a web server. Physical box has two public IPs - one is used
for physical box management,
anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system
itself has private IPs, so I have NAT configured in IPTABLES. It also means
that virtual system is not aware of it's public IP and it "thinks" it has
only the private IP. Also please note to make things simple - I do not have
IPTABLES rules set on the virtual server - all rules are set on physical
server only.

First I made SSH work so I can log-in into virtual system - it works fine.
Then (using the similar rules) I configured Apache on virtual box - and it
works from outside as expected.

However before I setup web application from outside successfuly, I was
forced to setup a fixed URI link in my application - which I did as
http://public_IP/  to make it work from outside.
My (design) problem occured when I discovered that actually I cannot access
my Application using public IP directly from virtual system (=from inside) -
as I have no rules for this situation.

I tried to add some - but it did not work, however I'm in doubt if it can
work at all:

My idea was to set the rule in PREROUTING (on the physical box) in a way
that if virtual server tries to access its own public address, it will be
changed back to private one and (hopefully) forwared back:
I tried both of below rules (one at a time) and none really worked:
iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in
vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT
--to-destination $VDMZ_PRIV_IP

However now I'm in doubt if this is ever possible:
- Will iptables allow packet to be forwarded back to the same interface
where it was received from?
- Or should I set some rules in Apache itself using mod_rewrite? (so in such
a case packet won't leave the virtual machine)
- Are there any risks with that when I decide to use HTTPS? (However HTTP
only from inside of the virtual system and HTTPS from outside is acceptable
as well)

Is there any other solution so I can access my own system from the virtual
system using it's public IP?

Thank you in advance,

iaiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20090901/53704d14/attachment-0001.html

More information about the users mailing list