On Tue, Sep 1, 2009 at 5:18 AM, jaivuk<jaivuk@xxxxxxxxxxxxxx> wrote: > Hi guys, > > I have F11 on the physical box and under KVM I have virtual system where I > run Apache as a web server. Physical box has two public IPs - one is used > for physical box management, > anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system > itself has private IPs, so I have NAT configured in IPTABLES. It also means > that virtual system is not aware of it's public IP and it "thinks" it has > only the private IP. Also please note to make things simple - I do not have > IPTABLES rules set on the virtual server - all rules are set on physical > server only. > > First I made SSH work so I can log-in into virtual system - it works fine. > Then (using the similar rules) I configured Apache on virtual box - and it > works from outside as expected. > > However before I setup web application from outside successfuly, I was > forced to setup a fixed URI link in my application - which I did as > http://public_IP/ ; to make it work from outside. > My (design) problem occured when I discovered that actually I cannot access > my Application using public IP directly from virtual system (=from inside) - > as I have no rules for this situation. Just add an IP alias to your virtual server ! I kind of eth0:1 This will solve your problem and give an answer to all your questions > > I tried to add some - but it did not work, however I'm in doubt if it can > work at all: > > My idea was to set the rule in PREROUTING (on the physical box) in a way > that if virtual server tries to access its own public address, it will be > changed back to private one and (hopefully) forwared back: > I tried both of below rules (one at a time) and none really worked: > iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in > vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP I donk know about -m physdev sorry > iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT > --to-destination $VDMZ_PRIV_IP looks ok, but what about other FILTER rules ? > > However now I'm in doubt if this is ever possible: > - Will iptables allow packet to be forwarded back to the same interface > where it was received from? Yes > - Or should I set some rules in Apache itself using mod_rewrite? (so in such > a case packet won't leave the virtual machine) > - Are there any risks with that when I decide to use HTTPS? (However HTTP > only from inside of the virtual system and HTTPS from outside is acceptable > as well) HTTPS require a certificate > > Is there any other solution so I can access my own system from the virtual > system using it's public IP? Yes use routing instead of NAT :-) > > Thank you in advance, > > iaiv > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- Alain Spineux aspineux gmail com May the sources be with you -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
