Brouting VNC

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Brouting VNC
@ 2010-05-04 15:26 Pavel Mikulka
  2010-05-04 16:02 ` Grant Taylor
  0 siblings, 1 reply; 2+ messages in thread
From: Pavel Mikulka @ 2010-05-04 15:26 UTC (permalink / raw)
  To: netfilter

Hello everyone,

I have topology with virtual machines running on KVM like this:

eth0 (ip 1.1.1.1)
eth1 --\
	  > --> bond0 (ip 1.1.1.2) --> br0 --> Virtual Machine with ip
1.1.1.3
eth2 --/

I would have a RDP available from outside at the ip address of virtual
machine. I try to configure ebtables/iptables to redirect VNC from ebtables
to iptables and then to ip address of host 1.1.1.1(or localhost) with no
luck. 

ebtables -t broute -A BROUTING -i bond0 -p IPv4 --ip-protocol 6
--ip-destination-port 5900 -j redirect --redirect-target DROP
iptables -t nat -A PREROUTING -p tcp  -d 1.1.1.3 --dport 5900 -j DNAT --to
1.1.1.1:5900

Any help will be appreciated. Thanks

P.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Brouting VNC
  2010-05-04 15:26 Brouting VNC Pavel Mikulka
@ 2010-05-04 16:02 ` Grant Taylor
  0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2010-05-04 16:02 UTC (permalink / raw)
  To: Mail List - Netfilter

On 05/04/10 10:26, Pavel Mikulka wrote:
> I have topology with virtual machines running on KVM like this:
> 
> eth0 (ip 1.1.1.1)
> eth1 --\
> 	  > --> bond0 (ip 1.1.1.2) --> br0 --> Virtual Machine with ip 1.1.1.3
> eth2 --/

Hum...

I'm (mis)interpreting that to be that you have 1.1.1.1 on eth0 and 
1.1.1.2 & 1.1.1.3 on bond0.  Thus, you have the same IP subnet on two 
(or more) network interfaces (as reported by the output of ifconfig).

Can I see the output of brctl?  (So that I'm clear on your topology.)

> I would have a RDP available from outside at the ip address of virtual 
> machine. I try to configure ebtables/iptables to redirect VNC from ebtables 
> to iptables and then to ip address of host 1.1.1.1(or localhost) with no 
> luck. 

If you have the IP networking / routing set up properly, you shouldn't 
need to do any redirecting (NATing).

> ebtables -t broute -A BROUTING -i bond0 -p IPv4 --ip-protocol 6 --ip-destination-port 5900 -j redirect --redirect-target DROP

Just to confirm, you are wanting to cause the EBTables BROUTING chain to 
DROP TCP traffic destined to port 5900 to be routed by the kernel, 
rather than bridged?

> iptables -t nat -A PREROUTING -p tcp  -d 1.1.1.3 --dport 5900 -j DNAT --to 1.1.1.1:5900

This looks like a basic DNATing (a.k.a. port forwarding) rule for 
traffic that was going to 1.1.1.3:5900 to be redirected to 1.1.1.1:5900.

> Any help will be appreciated. Thanks

I feel like you have a duplicate IP subnet that is causing problems for you.

Are you sure that you don't want eth0 to be included in your bridge 
(br0) too?  -  Doing that will prevent a duplicate subnet problem and 
allow IPTables (layer 3) to function like you are expecting it to.

Grant. . . .

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-05-04 16:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-04 15:26 Brouting VNC Pavel Mikulka
2010-05-04 16:02 ` Grant Taylor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).