[pve-devel] pvefw: masquerade problems and conntrack zones

Alexandre DERUMIER aderumier at odiso.com
Tue Mar 11 10:57:44 CET 2014


Ok,I have done some tests with simple bridge setup, and all is working fine for me ????


tap110i0 (10.2.0.100)---->vmbr14(10.2.0.1)  <routing>   (10.3.94.31)vmbr1----->eth0---------physical switch--------external host(10.3.94.47 + route add 10.2.0.100/32 gw 10.3.94.31)



host configuration
------------------

auto vmbr1
iface vmbr1 inet static
        bridge_ports eth0
        address 10.3.94.31
        netmask 255.255.255.0
        gateway 10.3.94.1
        bridge_stp off
        bridge_fd 0

auto vmbr14
iface vmbr14 inet static
        address 10.2.0.1
        netmask 255.255.255.0
        bridge_stp off
        bridge_fd 0

iptables -t nat -A POSTROUTING -j LOG --log-prefix "POSTROUTING: "
iptables -t nat -A POSTROUTING -s '10.2.0.100/32' -o vmbr1 -j MASQUERADE


guest network configuration (tap on bridge vmbr14)
-----------------------------------
iface eth0 inet static
      address 10.2.0.100
      netmask 255.255.255.0
      gateway 10.2.0.1



guest firewall
---------------         
# Example VM firewall configuration

[OPTIONS]

# disable/enable the whole thing
enable: 1

# disable/enable MAC address filter
macfilter: 0

# default policy
policy_in: DROP
policy_out: REJECT

# log dropped incoming connection
log_level_in: info

# disable log for outgoing connections
log_level_out: info

# filter SMURFS
nosmurfs: 1

# filter illegal combinations of TCP flags
tcpflags: 1

# enable DHCP
dhcp: 1


[RULES]

OUT Ping(ACCEPT) net0




ping test from guest (ping 10.3.94.47)
---------------------------------
if I don't authorize out ping,packet is dropped in forward chain
tap110i0-OUT-reject: IN=vmbr14 OUT=vmbr1 PHYSIN=tap110i0 MAC=66:21:64:58:7b:b4:1e:0b:85:27:8d:65:08:00 SRC=10.2.0.100 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=62770 DF PROTO=ICMP TYPE=8 CODE=0 ID=2012 SEQ=1


If I allow ping,I see the packet going in POSTROUTING
POSTROUTING: IN= OUT=vmbr1 PHYSIN=tap110i0 SRC=10.2.0.100 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=62719 DF PROTO=ICMP TYPE=8 CODE=0 ID=2010 SEQ=1 MARK=0x1 


on target host, without masquerade:
10:42:13.181907 IP 10.2.0.100 > 10.3.94.47: ICMP echo request, id 2024, seq 1, length 64

on target host, with masquerade:
10:42:13.181907 IP 10.3.94.31 > 10.3.94.47: ICMP echo request, id 2024, seq 1, length 64


so routing is working fine, with or without snat.



----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Dietmar Maurer" <dietmar at proxmox.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 11 Mars 2014 09:20:08 
Objet: Re: [pve-devel] pvefw: masquerade problems and conntrack zones 

ok perfect. 

last question, why don't we setup public ip directly on eth0 interface, instead of using pm0-pm1peer ? 


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 11 Mars 2014 09:10:37 
Objet: RE: [pve-devel] pvefw: masquerade problems and conntrack zones 

> ok, thanks, I'll build the same setup, 
> (is pm0 address in the same range than pm1 ? ) 

No, that is another network (public internet) 

> If I understand, the vm tap is plugged on vmbr1, and nat must be done on 
> veth pair ? 

yes 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 



More information about the pve-devel mailing list