ill post you my rules tommorow when i have a look at it. so u can get your containers to view sites on the same server ?
I also have to forward different ports to get ssh access to the containers, how can i ip filter before it gets forwarded is it possible, it doesnt seem to work. maybe i have to run a vpn for the ssh connections instead ? On 21/12/2009, at 1:14 AM, Galia Lisovskaya wrote: > On my old OpenVZ server (it use DNAT and masqurade fine) i use nginx > to reverse proxies http connections for container, and DNAT other > ports. May be, you solved you problem, when read my iptables dump. > XX.XX.XX.XX it's external nardware node IP, 10.0.10.33 IP of nginx VE. > As you see, i have rules for permit connections to this ve. It's work, > by i don't may reproduce it :( > > # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 > *raw > :PREROUTING ACCEPT [15756606:11159312833] > :OUTPUT ACCEPT [83187:9939944] > COMMIT > # Completed on Sun Dec 20 16:18:42 2009 > # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 > *nat > :PREROUTING ACCEPT [460807:49066604] > :POSTROUTING ACCEPT [2287:134871] > :OUTPUT ACCEPT [1050:65159] > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 4662 -j > DNAT --to-destination 10.0.10.3:4662 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 4666 -j > DNAT --to-destination 10.0.10.3:4666 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6419 -j > DNAT --to-destination 10.0.10.3:6419 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 6419 -j > DNAT --to-destination 10.0.10.3:6419 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 6882 -j > DNAT --to-destination 10.0.10.3:6882 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 1959 -j > DNAT --to-destination 10.0.10.3:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 80 -j DNAT > --to-destination 10.0.10.33:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 2959 -j > DNAT --to-destination 10.0.10.5:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7422 -j > DNAT --to-destination 10.0.7.4:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7480 -j > DNAT --to-destination 10.0.7.4:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j > DNAT --to-destination 10.0.7.8:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7880 -j > DNAT --to-destination 10.0.7.8:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7821 -j > DNAT --to-destination 10.0.7.8:21 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7680 -j > DNAT --to-destination 10.0.7.6:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7622 -j > DNAT --to-destination 10.0.7.6:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7922 -j > DNAT --to-destination 10.0.7.9:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j > DNAT --to-destination 10.0.7.9:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7912 -j > DNAT --to-destination 10.0.7.11:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7918 -j > DNAT --to-destination 10.0.7.11:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 110 -j DNAT > --to-destination 10.0.9.25:110 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 143 -j DNAT > --to-destination 10.0.9.25:143 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 25 -j DNAT > --to-destination 10.0.9.25:25 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j > DNAT --to-destination 10.0.7.2:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j > DNAT --to-destination 10.0.7.2:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7980 -j > DNAT --to-destination 10.0.7.9:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p udp -m udp --dport 53 -j DNAT > --to-destination 10.0.9.29:53 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 8443 -j > DNAT --to-destination 10.0.9.22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7222 -j > DNAT --to-destination 10.0.7.2:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7280 -j > DNAT --to-destination 10.0.7.2:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7580 -j > DNAT --to-destination 10.0.7.5:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7522 -j > DNAT --to-destination 10.0.7.5:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7822 -j > DNAT --to-destination 10.0.7.8:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5212 -j > DNAT --to-destination 10.0.5.21:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5222 -j > DNAT --to-destination 10.0.5.22:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5218 -j > DNAT --to-destination 10.0.5.21:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5228 -j > DNAT --to-destination 10.0.5.22:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7322 -j > DNAT --to-destination 10.0.7.3:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7380 -j > DNAT --to-destination 10.0.7.3:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7780 -j > DNAT --to-destination 10.0.7.7:80 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 7722 -j > DNAT --to-destination 10.0.7.7:22 > -A PREROUTING -d XX.XX.XX.XX -i eth0 -p tcp -m tcp --dport 5142 -j > DNAT --to-destination 10.0.5.14:22 > -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE > -A POSTROUTING -s 10.0.9.25 -p tcp -m tcp --dport 25 -j ACCEPT > -A POSTROUTING -s 10.0.5.2 -p tcp -m tcp --dport 25 -j ACCEPT > -A POSTROUTING -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports > 25 -j DROP > -A POSTROUTING -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports > 25 -j DROP > -A POSTROUTING -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports > 25 -j DROP > -A POSTROUTING -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports > 25 -j DROP > COMMIT > # Completed on Sun Dec 20 16:18:42 2009 > # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 > *mangle > :PREROUTING ACCEPT [15756617:11159313405] > :INPUT ACCEPT [145636:35302709] > :FORWARD ACCEPT [15611902:11124135311] > :OUTPUT ACCEPT [83199:9941544] > :POSTROUTING ACCEPT [15695095:11134076551] > -A PREROUTING -i br0 -j MARK --set-mark 0x9 > -A PREROUTING -i wlan0 -j MARK --set-mark 0x9 > -A PREROUTING -i venet0 -j MARK --set-mark 0x9 > COMMIT > # Completed on Sun Dec 20 16:18:42 2009 > # Generated by iptables-save v1.3.5 on Sun Dec 20 16:18:42 2009 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [83202:9942132] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT > -A FORWARD -s 10.0.9.25 -p tcp -m multiport --dports 25 -j ACCEPT > -A FORWARD -s 10.0.7.0/255.255.255.0 -d 10.0.10.33 -j ACCEPT > -A FORWARD -s 10.0.10.0/255.255.255.0 -d 10.0.9.25 -p tcp -m multiport > --dports 25 -j ACCEPT > -A FORWARD -s 10.0.5.2 -p tcp -m multiport --dports 25 -j ACCEPT > -A FORWARD -d 255.255.255.255 -j ACCEPT > -A FORWARD -s 10.0.9.0/255.255.255.0 -p tcp -m multiport --dports 25 > -j DROP > -A FORWARD -s 10.0.7.0/255.255.255.0 -p tcp -m multiport --dports 25 > -j DROP > -A FORWARD -s 10.0.5.0/255.255.255.0 -p tcp -m multiport --dports 25 > -j DROP > -A FORWARD -s 10.0.10.0/255.255.255.0 -p tcp -m multiport --dports 25 > -j DROP > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT > -A FORWARD -p tcp -m tcp --dport 25 -j DROP > -A FORWARD -o eth0 -j ACCEPT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -i br0 -j ACCEPT > -A RH-Firewall-1-INPUT -i ath0 -j ACCEPT > -A RH-Firewall-1-INPUT -i venet0 -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p esp -j ACCEPT > -A RH-Firewall-1-INPUT -p ah -j ACCEPT > -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j > ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 959 > -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4666 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 6419 > -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 6429 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4662 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2959 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7422 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7480 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7622 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7680 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7918 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7912 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7922 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7980 > -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8443 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7222 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7280 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7580 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7522 > -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7880 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7822 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7821 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7843 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5212 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5218 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5228 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7780 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 7722 -j > ACCEPT > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5142 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > # Completed on Sun Dec 20 16:18:42 2009 > > > 2009/12/20 Dan Rossi <electrote...@gmail.com>: >> Hey I am also having NAT issues. For instance I'm routing port 80 to squid >> which reverse proxies to instances. However when I tried to get instances to >> view sites on the same server, its not going directly out and back in if you >> know what I mean by it gets directed through squid but squid isnt setup for >> proxying a connection for the containers ! What do I do here I get failed >> connections. The containers are able to access to external sites though. > > > > -- > Galina Lisovskaya > > _______________________________________________ > Users mailing list > Users@openvz.org > https://openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org https://openvz.org/mailman/listinfo/users
