Re: Web server on virtual box - iptables design question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 1, 2009 at 5:18 AM, jaivuk<jaivuk@xxxxxxxxxxxxxx> wrote:
> Hi guys,
>
> I have F11 on the physical box and under KVM I have virtual system where I
> run Apache as a web server. Physical box has two public IPs - one is used
> for physical box management,
> anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system
> itself has private IPs, so I have NAT configured in IPTABLES. It also means
> that virtual system is not aware of it's public IP and it "thinks" it has
> only the private IP. Also please note to make things simple - I do not have
> IPTABLES rules set on the virtual server - all rules are set on physical
> server only.
>
> First I made SSH work so I can log-in into virtual system - it works fine.
> Then (using the similar rules) I configured Apache on virtual box - and it
> works from outside as expected.
>
> However before I setup web application from outside successfuly, I was
> forced to setup a fixed URI link in my application - which I did as
> http://public_IP/ ; to make it work from outside.
> My (design) problem occured when I discovered that actually I cannot access
> my Application using public IP directly from virtual system (=from inside) -
> as I have no rules for this situation.


Just add an IP alias to your virtual server ! I kind of eth0:1
This will solve your problem and give an answer to all your questions

>
> I tried to add some - but it did not work, however I'm in doubt if it can
> work at all:
>
> My idea was to set the rule in PREROUTING (on the physical box) in a way
> that if virtual server tries to access its own public address, it will be
> changed back to private one and (hopefully) forwared back:
> I tried both of below rules (one at a time) and none really worked:
> iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in
> vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP

I donk know about -m physdev sorry

> iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT
> --to-destination $VDMZ_PRIV_IP

looks ok,  but what about other FILTER rules ?

>
> However now I'm in doubt if this is ever possible:
> - Will iptables allow packet to be forwarded back to the same interface
> where it was received from?

Yes

> - Or should I set some rules in Apache itself using mod_rewrite? (so in such
> a case packet won't leave the virtual machine)
> - Are there any risks with that when I decide to use HTTPS? (However HTTP
> only from inside of the virtual system and HTTPS from outside is acceptable
> as well)

HTTPS require a certificate

>
> Is there any other solution so I can access my own system from the virtual
> system using it's public IP?

Yes use routing instead of NAT :-)

>
> Thank you in advance,
>
> iaiv
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux