Hi all. Sorry to be a bother, but I have the feeling I''m overlooking something incredibly simple. Background: I have a KVM Linux host with a guest LAMP server. I simply want to forward all web traffic that arrives at the host to the guest. The guest works fine, I can connect to the webpage from within my net. If I temporary hack the DNAT rules to a source of "all", I can web from the host to the guess just fine as well. Shorewall on the host is starting just fine. Shorewall is filtering a few things I asked it to just fine. Shorewall dump attached. I can see port 80 request coming into the guest via tcpdump: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 01:13:55.404486 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629582802 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:13:56.530815 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629582915 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:13:58.797613 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629583141 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:14:03.298603 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [S], seq 2539820123, win 32850, options [mss 1360,nop,nop,TS val 629583592 ecr 0,nop,wscale 2,nop,nop,sackOK], length 0 01:14:05.105427 IP 66.87.97.186.60004 > 66.128.118.35.http: Flags [R], seq 2539820124, win 32850, length 0 When I do web over to the host, nothing happens. No client error (other than an eventual timeout), no host DMESG output, nothing beyond the above tcpdump type output. This is also reflected via running a "tcpdump ''tcp port 80''" command on the guest which sees no activity. Critical files: [Masq] eth0 br0 66.128.118.35 [Interfaces] net eth0 detect loc br0 detect bridge [Rules] DNAT net loc:10.184.155.34:80 tcp 80 DNAT net loc:10.184.155.34:443 tcp 443 ACCEPT loc fw tcp 52 ACCEPT fw net udp domain ACCEPT fw net tcp domain ACCEPT all all udp ntp ACCEPT all all icmp 8 Can somebody point out what I''m missing? I suspect its something quite obvious, but I''m just not seeing it. Please let me know if you need any more information. I thought this would be quick and easy about 6 hours ago... lol. Thanks in advance. Kevin ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/06/2012 11:28 PM, Kevin Carpenter wrote:> > Can somebody point out what I''m missing? I suspect its something quite > obvious, but I''m just not seeing it. Please let me know if you need any > more information. I thought this would be quick and easy about 6 hours > ago... lol.Hi Kevin, You have erroneously configured a default route out of br0. Remove it and DNAT should begin working. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
Thanks Tom. Ended up being that combined with a default route on the GUEST that pointed to another machine instead of the HOST. Oops. Out of curiosity: Is it more appropriate for the GUEST to default route back to the eth1 address or to the bridge address on the HOST? I have it set to the eth1 address and all is working, just curious if that was the "right" way. Thanks, Kevin On 10/7/2012 9:00 AM, Tom Eastep wrote:> On 10/06/2012 11:28 PM, Kevin Carpenter wrote: > >> Can somebody point out what I''m missing? I suspect its something quite >> obvious, but I''m just not seeing it. Please let me know if you need any >> more information. I thought this would be quick and easy about 6 hours >> ago... lol. > Hi Kevin, > > You have erroneously configured a default route out of br0. Remove it > and DNAT should begin working. > > -Tom------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/7/12 12:44 PM, Kevin Carpenter wrote:> Thanks Tom. > > Ended up being that combined with a default route on the GUEST that > pointed to another machine instead of the HOST. Oops. > > Out of curiosity: Is it more appropriate for the GUEST to default route > back to the eth1 address or to the bridge address on the HOST? I have > it set to the eth1 address and all is working, just curious if that was > the "right" way.In your case, eth1 is bridged so it really shouldn''t have an ip address at all. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev