• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Even more IP Tables Lunacy

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Even more IP Tables Lunacy

    Ready the launch this server out the fecking window

    OK so my KVM has a NAT, 10.0.0.0/24

    One of the guests behind this NAT needs to connect to the host. It needs to connect on port 5555 (just say, for arguments sake).

    Wireshark shows the packet from 10.0.0.1 > 192.168.0.5 going over ok, but the return SYNACK getting blocked (from 192.168.0.5).

    How do I add a rule to iptables to allow the host to talk to the NAT subnet on a specific port?

    I have tried this so far

    Code:
    iptables I FORWARD 1 -p tcp -s 192.168.0.5 -d 10.0.0.0/24 -j ACCEPT
    Which I interpret to mean, please ffs could the firewall just allow all tcp traffic from 192.168.0.5 to any IP on the 10.0.0.0/24 subnet.

    But it doesn't work and the packet still gets blocked
    Knock first as I might be balancing my chakras.

    #2
    Really really fecking desperate guys.

    Please help.

    ldap 36.147965000 192.168.0.5 10.0.0.222 ICMP 94 Destination unreachable (Host administratively prohibited)
    Tried the following

    iptables -I FORWARD 1 -p tcp -s 192.168.0.5 -d 10.0.0.0/24 -j ACCEPT
    iptables -I FORWARD 1 -p udp -s 192.168.0.5 -d 10.0.0.0/24 -j ACCEPT
    iptables -I FORWARD 1 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
    iptables -I FORWARD 1 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
    iptables -I FORWARD 1 -p icmp -s 192.168.0.5 -d 10.0.0.0/24 -j ACCEPT
    iptables -I FORWARD 1 -p icmp -s 192.168.0.5 -d 10.0.0.222 -j ACCEPT
    Nothing works
    Last edited by suityou01; 5 March 2015, 10:27.
    Knock first as I might be balancing my chakras.

    Comment


      #3
      Why on earth have you:

      1) agreed to do work you aren't in a position to competently do.
      2) desperately seek help from a group of people who don't know enough about the configuration to be able help you

      I will ignore the fact that your continual inability to articulate in the OP all information that is pertinent to the issue rather puts anyone else off helping you but why do you think people are going to help you?
      merely at clientco for the entertainment

      Comment


        #4
        Originally posted by eek View Post
        Why on earth have you:

        1) agreed to do work you aren't in a position to competently do.
        2) desperately seek help from a group of people who don't know enough about the configuration to be able help you

        I will ignore the fact that your continual inability to articulate in the OP all information that is pertinent to the issue rather puts anyone else off helping you but why do you think people are going to help you?
        You ever done something, thinking this should be straight forward and when you get into it, it turns out it's far more complicated than you first thought?

        No, no you won't have done that because you are perfect, your life is perfect in every way and you are above reproach in all things. In fact, God looks up to you in awe.

        The problem here is that the software in question is tulipe, doesn't do what it said on the tin and I am left holding the baby.

        To that end the documentation is also tulipe, and there are entire forums full of other "suckers" who have wasted weeks of their lives trying to get the thing to work.

        This is the final hurdle in many many many slow weeks and enduring weekends of trying to get this tulipe off my plate and I am more than just a bit fed up with it.

        So, unless you have any help to offer, can you please **** off back to general and troll in there?

        TIA
        Knock first as I might be balancing my chakras.

        Comment


          #5
          Its KVM so it should configure things correctly on setup. The most likely thing you've done is add 1 line while trying to fix it that's then utterly broken it... But I've got better things to do than try to guess what.

          Personally all my KVM machines sit on the network of the host machine (root machine is 192.168.2.2 and virtual machines live on the range 3 - 32). Any other method requires second guessing how other networks are configured and that's just a world of pain.

          I think you've tried to be too clever and should rethink your plans and simplify your network topology....
          merely at clientco for the entertainment

          Comment


            #6
            Originally posted by eek View Post
            Its KVM so it should configure things correctly on setup. The most likely thing you've done is add 1 line while trying to fix it that's then utterly broken it... But I've got better things to do than try to guess what.

            Personally all my KVM machines sit on the network of the host machine (root machine is 192.168.2.2 and virtual machines live on the range 3 - 32). Any other method requires second guessing how other networks are configured and that's just a world of pain.

            I think you've tried to be too clever and should rethink your plans and simplify your network topology....
            It should, it doesn't. The reason is that I am using NAT. This does not work out of box and you have to mess with the firewall to get access to your VMs. There are countless people complaining about this, and the KVM peeps say that they will make it more user friendly in the next version.

            Your setup is simpler, in that you are not using NAT.

            HTH
            Knock first as I might be balancing my chakras.

            Comment


              #7
              Originally posted by suityou01 View Post
              It should, it doesn't. The reason is that I am using NAT. This does not work out of box and you have to mess with the firewall to get access to your VMs. There are countless people complaining about this, and the KVM peeps say that they will make it more user friendly in the next version.

              Your setup is simpler, in that you are not using NAT.

              HTH
              So as it doesn't work why are you using it..... Simplifier it by just adding the machines to the network. I doubt you are short of ip addresses.

              If you can't do that can you ping or traceroute to any machine on the 10 network from 192.168.0.5... I'm sure I know what the issue is....
              Last edited by eek; 5 March 2015, 11:21.
              merely at clientco for the entertainment

              Comment


                #8
                Originally posted by eek View Post
                So as it doesn't work why are you using it..... Simplifier it by just adding the machines to the network. I doubt you are short of ip addresses.

                If you can't do that can you ping or traceroute to any machine on the 10 network from 192.168.0.5... I'm sure I know what the issue is....
                The virtual machines are required to be on the virtual network (subnet/nat).
                I am using it because the software said it could do it. It is not until you install it, that you then find out the gremlins. Me and countless others.
                Yes I can ping the guest from the host.

                The specific problem from wireshark was posted by me higher up the thread, along with the iptables commands I issued to try and solve the problem.

                What I am patiently asking is if anyone can look at the wireshark trace output, which has all the information needed, and advise me on the correct iptables command to allow the currently blocked traffic through.
                Knock first as I might be balancing my chakras.

                Comment


                  #9
                  Good luck with that request.... You removed the only person able to help you in your conversation over the weekend...

                  merely at clientco for the entertainment

                  Comment


                    #10
                    Originally posted by eek View Post
                    Good luck with that request.... You removed the only person able to help you in your conversation over the weekend...

                    What are you blethering on about you infuriating little man?

                    I thought this was beyond you. Don't worry, your are in good company.
                    Knock first as I might be balancing my chakras.

                    Comment

                    Working...
                    X