Web server on virtual box - iptables design question
Alain Spineux
aspineux at gmail.com
Tue Sep 1 16:59:25 UTC 2009
On Tue, Sep 1, 2009 at 5:18 AM, jaivuk<jaivuk at googlemail.com> wrote:
> Hi guys,
>
> I have F11 on the physical box and under KVM I have virtual system where I
> run Apache as a web server. Physical box has two public IPs - one is used
> for physical box management,
> anohter (VDMZ_PUBL_IP) is used to access virtual system. Virtual system
> itself has private IPs, so I have NAT configured in IPTABLES. It also means
> that virtual system is not aware of it's public IP and it "thinks" it has
> only the private IP. Also please note to make things simple - I do not have
> IPTABLES rules set on the virtual server - all rules are set on physical
> server only.
>
> First I made SSH work so I can log-in into virtual system - it works fine.
> Then (using the similar rules) I configured Apache on virtual box - and it
> works from outside as expected.
>
> However before I setup web application from outside successfuly, I was
> forced to setup a fixed URI link in my application - which I did as
> http://public_IP/ to make it work from outside.
> My (design) problem occured when I discovered that actually I cannot access
> my Application using public IP directly from virtual system (=from inside) -
> as I have no rules for this situation.
Just add an IP alias to your virtual server ! I kind of eth0:1
This will solve your problem and give an answer to all your questions
>
> I tried to add some - but it did not work, however I'm in doubt if it can
> work at all:
>
> My idea was to set the rule in PREROUTING (on the physical box) in a way
> that if virtual server tries to access its own public address, it will be
> changed back to private one and (hopefully) forwared back:
> I tried both of below rules (one at a time) and none really worked:
> iptables -t nat -A PREROUTING -p TCP -i virbr0 -m physdev --physdev-in
> vnet1-d $VDMZ_PUBL_IP -j DNAT --to-destination $VDMZ_PRIV_IP
I donk know about -m physdev sorry
> iptables -t nat -A PREROUTING -p TCP -i virbr0 -d $VDMZ_PUBL_IP -j DNAT
> --to-destination $VDMZ_PRIV_IP
looks ok, but what about other FILTER rules ?
>
> However now I'm in doubt if this is ever possible:
> - Will iptables allow packet to be forwarded back to the same interface
> where it was received from?
Yes
> - Or should I set some rules in Apache itself using mod_rewrite? (so in such
> a case packet won't leave the virtual machine)
> - Are there any risks with that when I decide to use HTTPS? (However HTTP
> only from inside of the virtual system and HTTPS from outside is acceptable
> as well)
HTTPS require a certificate
>
> Is there any other solution so I can access my own system from the virtual
> system using it's public IP?
Yes use routing instead of NAT :-)
>
> Thank you in advance,
>
> iaiv
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
--
Alain Spineux
aspineux gmail com
May the sources be with you
More information about the fedora-list
mailing list