I have F11 on the physical box and under KVM I have virtual system where I run Apache as a web server. Physical box has two public IPs - one is used for physical box management,
anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system itself has private IPs, so I have NAT configured in IPTABLES. It also means that virtual system is not aware of it's public IP and it "thinks" it has only the private IP. Also please note to make things simple - I do not have IPTABLES rules set on the virtual server - all rules are set on physical server only.
First I made SSH work so I can log-in into virtual system - it works fine. Then (using the similar rules) I configured Apache on virtual box - and it works from outside as expected.
However before I setup web application from outside successfuly, I was forced to setup a fixed URI link in my application - which I did as http://public_IP/ to make it work from outside.
My (design) problem occured when I discovered that actually I cannot access my Application using public IP directly from virtual system (=from inside) - as I have no rules for this situation.
I tried to add some - but it did not work, however I'm in doubt if it can work at all:
My idea was to set the rule in PREROUTING (on the physical box) in a way that if virtual server tries to access its own public address, it will be changed back to private one and (hopefully) forwared back:
I tried both of below rules (one at a time) and none really worked:
iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
However now I'm in doubt if this is ever possible:
- Will iptables allow packet to be forwarded back to the same interface where it was received from?
- Or should I set some rules in Apache itself using mod_rewrite? (so in such a case packet won't leave the virtual machine)
- Are there any risks with that when I decide to use HTTPS? (However HTTP only from inside of the virtual system and HTTPS from outside is acceptable as well)
Is there any other solution so I can access my own system from the virtual system using it's public IP?
Thank you in advance,
iaiv
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
