OpenVZ Forum


Home » General » Support » "Connection refused" when connecting from VE to host's public IP
"Connection refused" when connecting from VE to host's public IP [message #50964] Sun, 15 December 2013 00:44 Go to next message
Ventzy is currently offline  Ventzy
Messages: 3
Registered: December 2013
Junior Member
Hello,

I have my network config like this - single public IP address, assigned to the host (eth0) and multiple VEs in private network with IPs like 10.0.X.X. I have apache in one VE, mysql in other and so on. I have port forwarding on host for apache like this:
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 -j DNAT --to 10.0.0.3:80


This works as expected - I can access web sites hosted in 10.0.0.3 from outside through host's public IP and 10.0.0.3 connects successfully to Internet. The problem is that I cannot connect from VE to the public IP of the host. Let's say my public IP is 1.1.1.1, then I get this from 10.0.0.3
root@apache:/# telnet 1.1.1.1 80
Trying 1.1.1.1...
telnet: Unable to connect to remote host: Connection refused

What in the end I want to do is to load a web page from withing 10.0.0.3 that is hosted on 10.0.0.3. I have domain mydomain.com which resolves to 1.1.1.1 and when I try to load http ://mydomain.com/ from 10.0.0.3, domain is resolved to 1.1.1.1 and connection is refused as with telnet example.

I can workaround the problem if in the 10.0.0.3 /etc/hosts add
10.0.0.3 mydomain.com

I don't like that solution, because I have hundreds of sites and on new site I must alter hosts file. Besides, if some other software needs to create connection to the 1.1.1.1 it will fail.

I use Proxmox 3.1 and here are my /etc/network/interfaces on the host
auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
        address  1.1.1.1
        netmask  255.255.255.240
        gateway  2.2.2.2
        post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

auto vmbr0
iface vmbr0 inet static
        address  10.0.0.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/16' -o eth0 -j MASQUERADE

And on container
auto lo
iface lo inet loopback


# Auto generated venet0 interface
auto venet0
iface venet0 inet manual
        up ifconfig venet0 up
        up ifconfig venet0 127.0.0.2
        up route add default dev venet0
        down route del default dev venet0
        down ifconfig venet0 down

iface venet0 inet6 manual
        up route -A inet6 add default dev venet0
        down route -A inet6 del default dev venet0

auto venet0:0
iface venet0:0 inet static
        address 10.0.0.3
        netmask 255.255.255.255


Here is the output of iptables -t nat -L && iptables -t filter -L && iptables -t mangle -L command
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpt:mysql to:10.0.0.2:3306
DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.0.0.3:443
DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.0.3:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.0.0.0/16          anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination


How can I solve the problem?

Report message to a moderator

Re: "Connection refused" when connecting from VE to host's public IP [message #50966 is a reply to message #50964] Sun, 15 December 2013 17:06 Go to previous messageGo to next message
grep is currently offline  grep
Messages: 34
Registered: November 2013
Member
What says traceroute 1.1.1.1 from ve?

and route -n in ve.

Report message to a moderator

Re: "Connection refused" when connecting from VE to host's public IP [message #50968 is a reply to message #50966] Sun, 15 December 2013 20:34 Go to previous messageGo to next message
Ventzy is currently offline  Ventzy
Messages: 3
Registered: December 2013
Junior Member
grep wrote on Sun, 15 December 2013 19:06
What says traceroute 1.1.1.1 from ve?

and route -n in ve.


root@apache:/# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  ip-1-1.host.com (1.1.1.1)  0.065 ms  0.015 ms  0.011 ms

root@apache:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 venet0

Report message to a moderator

Re: "Connection refused" when connecting from VE to host's public IP [message #50975 is a reply to message #50968] Mon, 16 December 2013 07:52 Go to previous messageGo to next message
grep is currently offline  grep
Messages: 34
Registered: November 2013
Member
So your server answers.
Can you ssh into it? is only http refused?

iptables from ve (iptables-save in terminal to show all)?

Report message to a moderator

Re: "Connection refused" when connecting from VE to host's public IP [message #50980 is a reply to message #50975] Mon, 16 December 2013 12:18 Go to previous message
Ventzy is currently offline  Ventzy
Messages: 3
Registered: December 2013
Junior Member
grep wrote on Mon, 16 December 2013 09:52
So your server answers.
Can you ssh into it? is only http refused?

iptables from ve (iptables-save in terminal to show all)?


I get "Connection refused" from VE to host for all ports, that was redirected in the host with
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 80 -j DNAT --to 10.0.0.3:80


I have no such forwarding rule on port 22, so I have no problem. Here is summary of different scenarios

                     |  Non-redirected port (22)  |  Redirected port (80)  |
----------------------------------------------------------------------------
Outside -> Host      |  OK                        |  OK                    |
5.6.7.8 -> 1.1.1.1   |                            |                        |
----------------------------------------------------------------------------
VE -> Host           |  OK                        |  Connection refused    |
10.0.0.3 -> 1.1.1.1  |                            |                        |
----------------------------------------------------------------------------


There are no iptable rules in the VE.

I am far from expert in this and may be wrong, but I suspect that I have "NAT loopback" issue like described here http ://en.wikipedia.org/wiki/Network_address_translation#NAT_loo pback

Report message to a moderator

Previous Topic: OpenVZ kernel reliability - production ready?
Next Topic: Drop /var/vzquota/quota.xxx and vps can't start
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sat Nov 09 03:31:05 GMT 2024

Total time taken to generate the page: 0.03195 seconds
Powered by FUDforum Powered by Virtuozzo Containers