We are trying to configure NAT and Bridge with LXC container inside the SLES 11.3 . We are getting error unable to start the conatiner
Following is the screen dump. br0 is the external network and br1 is the internal network
brctl show
bridge name bridge id STP enabled interfaces
br0 8000.001ec9d3ad09 no eth0
br1 8000.000000000000 no
We have br0 which is bridged with eth0. Following is br0 configuration
ifconfig br0
br0 Link encap:Ethernet HWaddr 00:1E:C9:D3:AD:09
inet addr:10.31.96.176 Bcast:10.31.99.255 Mask:255.255.252.0
inet6 addr: 3ffe:80c0:22c:8021:21e:c9ff:fed3:ad09/64 Scope:Global
inet6 addr: fe80::21e:c9ff:fed3:ad09/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4054175 errors:0 dropped:748956 overruns:0 frame:0
TX packets:9689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:352965801 (336.6 Mb) TX bytes:1382473 (1.3 Mb)
br1 is another bridge which is used for internal network of containers
br1 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::70d4:cbff:fe18:6548/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:520 (520.0 b) TX bytes:1070 (1.0 Kb)
Below is the LXC Configuration
lxc.network.type = veth
lxc.network.name = net0
lxc.network.ipv4 = 192.168.0.100/24
lxc.network.link = br1
lxc.network.flags = up
lxc.network.ipv4.gateway=192.168.0.1
We did follow http://www.pdxsys.com/articles/lxc/lxc2/ for performing NAT between br0 and br1
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 10.31.96.176 --dport 80 -j DNAT --to 192.168.0.100
iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT
where as 192.168.0.100 is the lxc-container ip and 10.31.96.176 is host ip
When we try to start the guest we get following error
lxc-start -n TEST1 -l DEBUG -o /root/test.log
lxc-start: failed to setup ipv4 gateway for 'eth0': No such process
lxc-start: failed to setup netdev
lxc-start: failed to setup the network for 'TEST1'
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'TEST1'
How do we resolve this ?
Related
I have an AWS ubuntu instance with the following network interfaces:
ens5, ip: 172.XX.XX.XX
A5TAP, ip:192.168.233.1 (VPN)
How do I udp port forward port 10000-10200 to 192.168.233.52:10000-10200?
I tried a the obvious commands below for a single port 10009, but it is not working:
sudo iptables -t nat -A PREROUTING -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
sudo iptables -t nat -A POSTROUTING -p udp -d 192.168.233.52 --dport 10009 -j SNAT --to-source 172.XX.XX.XX
sudo iptables -t nat -L -n
=======What I tried so far:
I am trying to port forward port 10009 all udp traffic to ens5, to 192.168.233.52 in A5TAP:
172.XX.XX.XX:10009 -> 192.168.233.52:10009
The udp stream is a video stream.
I followed this tutorial, but it is not working. As when I shoot the udp stream to 172.XX.XX.XX:10009, no video is showing.
If I do sudo tcpdump -i ens5 -n udp port 10009:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:51.035226 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 1400
14:08:51.035703 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 510
(and so on....)
That means my AWS instance is receiving the video stream from my machine.
But when I do sudo tcpdump -i A5TAP -n udp port 10009, there are no traffics.
If I joined the machine with video stream to A5TAP VPN, and send udp stream to 192.168.233.52:10009, I can see the stream.
Thanks to maxstr's answer, the port forwarding between interfaces in the same machine worked:
sudo tcpdump -i A5TAP -n udp port 10009:
07:45:53.701800 IP 192.168.233.1.49538 > 192.168.233.52.10009: UDP, length 700
I believe what you want is the following:
sudo iptables -t nat -A OUTPUT -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
because the PREROUTING chain will not be in the path of local outbound traffic. OUTPUT will.
I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200
I am looking for a command line to show the interfaces and the ip associated with the interface. I run the command ifconfig -a | grep -inet .. but I need to print the interface also . How can I also print the interface name?
Command
ifconfig -a | grep inet
Input
eth1 Link encap:Ethernet HWaddr 40:A8:F0:2D:B3:98
inet addr:10.33.211.67 Bcast:10.33.211.79
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth2 Link encap:Ethernet HWaddr 8C:DC:D4:AD:A6:EF
inet addr:64.15.238.227 Bcast:64.15.238.239
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3532763832 errors:0 dropped:0 overruns:0 frame:0
eth8 Link encap:Ethernet HWaddr 40:A8:F0:2D:B3:9A
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:3532763832 errors:0 dropped:0 overruns:0 frame:0
Desired output
eth1 inet addr:10.33.211.67 Bcast:10.33.211.79 Mask:255.255.255.240
eth2 inet addr:64.15.238.227 Bcast:64.15.238.239 Mask:255.255.255.240
eth8 ---------- blank because it has not been configured
Try the following sed pipeline:
ifconfig -a | sed -n -e 's/^\([[:alnum:]]\+[[:space:]]\+\).*$/\1/p' -e 's/^[[:space:]]\+\(inet .*\)$/\1/p' | sed 'N;s/\n/ /'
The first sed command selects lines that start with an interface name or a bunch of spaces followed by inet. The second one removes every other newline from the result based on Putting Two Consecutive Lines into One Line with Perl / AWK. Output will be:
eth1 inet addr:10.33.211.67 Bcast:10.33.211.79
eth2 inet addr:64.15.238.227 Bcast:64.15.238.239
eth8
What I am trying to Achieve:
Test/Configure All NAT Scenarios(Full Cone,Port Restricted etc) by (1) .using iptables (2) ethernet interface (3) loopback interface (Using only one machine)
Set Up following configuration :
I am running one VM in a Linux BOX, and performed following configuration :
Linux BOX IP is : 192.168.0.4
Linux Box Virtual Box Gateway IP is : 192.168.56.1
Running Stun Server Binded on : 192.168.56.1 (Primary) and 192.168.0.4 (Secondary) on Linux Box
Running Stun Client on VM(Running on above Linux Server) at 127.0.0.1:2000 , and configured iptables rules to forward loopback interface traffic to ethernet interface (192.168.56.102) and vice versa.
Expected Result
I should be able to configure each NAT Simulation via iptables/ethernet/loopback interface on which STUN Server running on Host and Stun Client running on VM, and it should tell the type of NAT
Actual Result
iptables doing nothing with the packets in/out to loopback interface
socket sendto call fails with error : "error 22 invalid arguement" because socket has bind with 127.0.0.1:2000 and destination address is : 192.168.56.1
See below in short
[Loopback-Interface(127.0.0.1 :2000 / *Running STUN Client*/ VM) -->[*IPTABLES RULES TO/FROM*] <-- Ethernet-Interface(VM -- 192.168.56.102:2000) ==>|| ==> HOST(Gateway - 192.168.56.1:3478 - *Running STUN Server*)] ::
Examples Rules ::
sudo iptables -t nat -A POSTROUTING -o eth0 -p udp --source 127.0.0.1 --sport 2000 -j SNAT --to-source 192.168.56.102
sudo iptables -t nat -A POSTROUTING -o eth0 -p tcp --source 127.0.0.1 --sport 2001 -j SNAT --to-source 192.168.56.102
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --destination 192.168.56.102 --dport 2000 -j DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --destination 192.168.56.102 --dport 2000 -j DNAT --to-destination 127.0.0.1
It Seems iptables doesn't pick packets from loopback interface
References : http://www.linuxquestions.org/questions/linux-networking-3/iptables-redirect-127-0-0-1-to-192-168-1-113-a-818817/
Please let me know if any body can help on this.
I'm trying to use libvirt with virsh to manage my kvm/qemu vms. The problem I have is with getting it to work with public IPs. The server is running ubuntu 8.04.
libvirt keeps trying to run it as:
/usr/bin/kvm -M pc -m 256 -smp 3 -monitor pty -no-acpi \
-drive file=/opt/virtual-machines/calculon/root.qcow2,if=ide,boot=on \
-net nic,vlan=0,model=virtio -net tap,fd=10,vlan=0 -usb -vnc 127.0.0.1:0
Which boots, but does not have any network access (pings go nowhere). Running it without fd=10 makes it work right, with kvm creating the necessary TAP device for me and networking functioning inside the host. All the setup guides I've seen focus on setting up masquerading, while I just want a simple bridge and unfiltered access to the net (both the guests and host must use public IPs).
Running ifconfig on the host gives this, the bridge is manually setup in my /etc/network/interfaces file. :
br0 Link encap:Ethernet HWaddr 00:1e:c9:3c:59:b8
inet addr:12.34.56.78 Bcast:12.34.56.79 Mask:255.255.255.240
inet6 addr: fe80::21e:c9ff:fe3c:59b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3359 errors:0 dropped:0 overruns:0 frame:0
TX packets:3025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:180646 (176.4 KB) TX bytes:230908 (225.4 KB)
eth0 Link encap:Ethernet HWaddr 00:1e:c9:3c:59:b8
inet6 addr: fe80::21e:c9ff:fe3c:59b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6088386 errors:0 dropped:0 overruns:0 frame:0
TX packets:3058 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:680236624 (648.7 MB) TX bytes:261696 (255.5 KB)
Interrupt:33
Any help would be greatly appreciated.
I followed the bridged networking guide at https://help.ubuntu.com/community/KVM and have the following in /etc/network/interfaces:
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
I have not changed any libvirt network settings and my kvm images are booted like:
/usr/bin/kvm -M pc -no-kqemu -m 256 -smp 1 -monitor pty -boot c -hda \
/libvirt/apt.img -net nic,macaddr=00:16:3e:77:32:1d,vlan=0 -net \
tap,fd=11,script=,vlan=0 -usb -vnc 127.0.0.1:0
I then specify the static network settings in the kvm image as normal. Has all worked ok since I followed the guide.
I do have the following settings in my xml files in /etc/libvirt/qemu/ though under devices:
<interface type='bridge'>
<mac address='00:16:3e:77:32:1d'/>
<source bridge='br0'/>
</interface>
i guess your tap device should be shown in ifconfig.
run "brctl show "
it will show bridge and tunnel device connection.
you may have to put iptable entry show that all the packets will be routed through bridge
iptables -I INPUT -i br0 -j ACCEPT