Hi !
I have a server with Proxmox. I have an OpenVZ configuration with many VE with NAT.
But I have a problem with my network configuration !
We have an Apache on a VE (prod-web-1) and I can't get access to a domain (tutu.fr for example) hosted on this VE (using the public IP A.B.C.D) from
this VE :
root@prod-web-1:~# telnet tutu.fr 80
Trying A.B.C.D...
It's ok when we use localhost or private ip of the VE (192.168.0.101) :
root@prod-web-1:~# telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
root@prod-web-1:~# telnet 192.168.0.101 80
Trying 192.168.0.101...
Connected to 192.168.0.101.
Escape character is '^]'.
It works from the node (tanenbaum) :
root@tanenbaum:~# telnet tutu.fr 80
Trying A.B.C.D...
Connected to tutu.fr.
Escape character is '^]'.
and from others VE (prod-bdd-1 for example) :
root@prod-bdd-1:~# telnet tutu.fr 80
Trying A.B.C.D...
Connected to tutu.fr.
Escape character is '^]'.
My configuration :
NAT :
root@tanenbaum:~# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 69 packets, 4311 bytes)
pkts bytes target prot opt in out source destination
86 4584 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:http to:192.168.0.101:80
0 0 DNAT tcp -- eth0 any anywhere srv1.toto.fr tcp dpt:ftp to:192.168.0.101:21
0 0 DNAT tcp -- eth0 any anywhere srv1.toto.fr tcp dpts:4242:4300 to:192.168.0.101
Chain POSTROUTING (policy ACCEPT 247 packets, 27946 bytes)
pkts bytes target prot opt in out source destination
13 819 SNAT all -- any any 192.168.0.0/24 !192.168.0.0/24 to:A.B.C.D
Chain OUTPUT (policy ACCEPT 117 packets, 20722 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:http to:192.168.0.101:80
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpt:ftp to:192.168.0.101:21
0 0 DNAT tcp -- any any anywhere srv1.toto.fr tcp dpts:4242:4300 to:192.168.0.101
Filter :
root@tanenbaum:~# iptables -L -v
Chain INPUT (policy DROP 3 packets, 152 bytes)
pkts bytes target prot opt in out source destination
44 3710 ACCEPT all -- lo any anywhere anywhere
437 34317 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https state NEW
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:6984 state NEW
0 0 ACCEPT tcp -- eth0 any cache.ovh.net anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8006 state NEW
12 952 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any torvalds.toto.fr anywhere tcp dpt:mysql state NEW
0 0 ACCEPT all -- any any 192.168.0.0/24 anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
15265 9481K ACCEPT all -- any any 192.168.0.0/24 anywhere
1714 568K ACCEPT all -- any any anywhere 192.168.0.0/24
Chain OUTPUT (policy ACCEPT 156 packets, 26429 bytes)
pkts bytes target prot opt in out source destination
44 3710 ACCEPT all -- any lo anywhere anywhere
415 156K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
Ip forwarding is enabled :
echo "1" > /proc/sys/net/ipv4/ip_forward
Network configuration :
root@tanenbaum:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address E.F.G.H
netmask 255.255.255.0
network E.F.G.0
broadcast E.F.G.255
gateway E.F.G.254
# IP Failover
post-up /sbin/ifconfig eth0:0 A.B.C.D netmask 255.255.255.255 broadcast A.B.C.D
post-down /sbin/ifconfig eth0:0 down
post-up /sbin/ifconfig eth0:1 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
post-down /sbin/ifconfig eth0:1 down
The routing table from the node :
root@tanenbaum:~# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
prod-infra-1 * 255.255.255.255 UH 0 0 0 venet0
bck-bdd-1 * 255.255.255.255 UH 0 0 0 venet0
prod-bdd-1 * 255.255.255.255 UH 0 0 0 venet0
prod-mail-1 * 255.255.255.255 UH 0 0 0 venet0
prod-web-1 * 255.255.255.255 UH 0 0 0 venet0
E.F.G.0 * 255.255.255.0 U 0 0 0 eth0
default E.F.G.254 0.0.0.0 UG 0 0 0 eth0
The whole table :
root@tanenbaum:~# ip route list table all
192.168.0.104 dev venet0 scope link
192.168.0.112 dev venet0 scope link
192.168.0.102 dev venet0 scope link
192.168.0.103 dev venet0 scope link
192.168.0.101 dev venet0 scope link
E.F.G.0/24 dev eth0 proto kernel scope link src E.F.G.H
default via E.F.G.254 dev eth0
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast E.F.G.255 dev eth0 table local proto kernel scope link src E.F.G.H
local A.B.C.D dev eth0 table local proto kernel scope host src A.B.C.D
broadcast A.B.C.D dev eth0 table local proto kernel scope link src A.B.C.D
broadcast E.F.G.0 dev eth0 table local proto kernel scope link src E.F.G.H
local E.F.G.H dev eth0 table local proto kernel scope host src E.F.G.H
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
2001:41d0:8:e9b5::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
2001:41d0:8:e9ff:ff:ff:ff:ff dev eth0 metric 1024 mtu 1500 advmss 1440 hoplimit 0
fe80::1 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
default via 2001:41d0:8:e9ff:ff:ff:ff:ff dev eth0 metric 1024 mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local 2001:41d0:8:e9b5::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::222:4dff:fea0:f88e via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev venet0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo table unspec proto kernel metric 4294967295 error -101 hoplimit 255
I tried a lot of things but I'm still not able to have a full access to my sites from my Apache VE (prod-web-1)
Do you have an idea ?
Thanks !
Romain