Results 1 to 7 of 7

Thread: Qemu Networking eht0 -> tap0

  1. #1
    Join Date
    Mar 2013
    Beans
    7

    Qemu Networking eht0 -> tap0

    Hello,
    i want to seperate my Websites into virtual machines to be more flexible. Creating the maschines and install Ubuntu is not a Problem but get online, i created a tap interface with Qemu and forward some ports from eth0 to it but the VM insn't reachable.My Setup:
    Code:
    qemu -m 1G -boot c -hda 'hdd_0.img' -display vnc=127.0.0.1:3 -smp 4 -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 -k de
    ifconfig:


    Code:
    eth0      Link encap:Ethernet  Hardware Adresse 90:2b:34:9e:09:fd  
              inet Adresse:93.186.xxx.xx  Bcast:93.186.xxx.xxx  Maske:255.255.255.0
              inet6-Adresse: fe80::922b:34ff:fe9e:9fd/64 Gültigkeitsbereich:Verbindung
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
              RX packets:398426279 errors:0 dropped:1877 overruns:0 frame:0
              TX packets:442239849 errors:0 dropped:0 overruns:0 carrier:0
              Kollisionen:0 Sendewarteschlangenlänge:1000 
              RX-Bytes:34072252966 (34.0 GB)  TX-Bytes:75313070542 (75.3 GB)
              Interrupt:44 Basisadresse:0x8000 
    
    
    lo        Link encap:Lokale Schleife  
              inet Adresse:127.0.0.1  Maske:255.0.0.0
              inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
              UP LOOPBACK RUNNING  MTU:16436  Metrik:1
              RX packets:36668720 errors:0 dropped:0 overruns:0 frame:0
              TX packets:36668720 errors:0 dropped:0 overruns:0 carrier:0
              Kollisionen:0 Sendewarteschlangenlänge:0 
              RX-Bytes:16501450408 (16.5 GB)  TX-Bytes:16501450408 (16.5 GB)
    
    
    tap0      Link encap:Ethernet  Hardware Adresse 42:59:1a:d3:84:eb  
              inet Adresse:10.0.2.100  Bcast:10.255.255.255  Maske:255.0.0.0
              inet6-Adresse: fe80::4059:1aff:fed3:84eb/64 Gültigkeitsbereich:Verbind

    So, i assigned a ip to tap0
    Code:
    ifconfig tap0 192.168.122.45
    It looks like,that it works:
    Code:
    tap0      Link encap:Ethernet  Hardware Adresse 42:59:1a:d3:84:eb  
              inet Adresse:192.168.122.45  Bcast:192.168.122.255  Maske:255.255.255.0
              inet6-Adresse: fe80::4059:1aff:fed3:84eb/64 Gültigkeitsbereich:Verbindung
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
              RX packets:6 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
              Kollisionen:0 Sendewarteschlangenlänge:500 
              RX-Bytes:468 (468.0 B)  TX-Bytes:468 (468.0 B)

    Than i tryed to forward ports:
    Code:
    iptables -I FORWARD -m state -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
    iptables -A PREROUTING -d 93.186.xxx.xx -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    After these "step" is still not reachable from their host oder other maschines and the VM can't ping google, or their host.

    System:
    Ubuntu 12.04 LTS VM and Host
    Kernel: 3.2.0-36-generic

    CPU: i7-3770
    RAM: 32GB DDR3
    HDD: 2TB

    Anyone a idea, whats my mistake is?

  2. #2
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,414
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Qemu Networking eht0 -> tap0

    What is your default policy for your iptables chains?
    I am wondering if there is any return path for packets from the VM's. I.E. maybe you need something like this:
    Code:
    iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
    Now, that being said, it will not solve this part of your issue:
    and the VM can't ping google, or their host.
    because there is no return path to the VM. I would suggest something like this for the forward chain:
    Code:
    iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD -i eth0 -o tap0 -p tcp --dport 22 -d 192.168.122.0/24 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
    What I am unsure about is if port re-mapping back to port 6422 will also occur for the reverse path. In my iptable rule script, I have a commented out example where incoming port 8080 was re-mapped to 80 during forwarding and it seems to have worked with a forward chain similar to the above.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  3. #3
    Join Date
    Mar 2013
    Beans
    7

    Re: Qemu Networking eht0 -> tap0

    It dosen't work
    My iptables:
    Code:
     Generated by iptables-save v1.4.12 on Mon Mar 18 20:54:02 2013*nat
    :PREROUTING ACCEPT [122:12324]
    :INPUT ACCEPT [53:4346]
    :OUTPUT ACCEPT [59:3670]
    :POSTROUTING ACCEPT [59:3670]
    -A PREROUTING -d 93.186.xxx.xx/32 -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    -A PREROUTING -d 93.186.xxx.xx/32 -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    -A PREROUTING -d 93.186.xxx.xx/32 -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    -A PREROUTING -d 93.186.xxx.xx/32 -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    -A PREROUTING -d 93.186.xxx.xx/32 -p tcp -m tcp --dport 6422 -j DNAT --to-destination 192.168.122.45:22
    COMMIT
    # Completed on Mon Mar 18 20:54:02 2013
    # Generated by iptables-save v1.4.12 on Mon Mar 18 20:54:02 2013
    *mangle
    :PREROUTING ACCEPT [2424845686:461152190999]
    :INPUT ACCEPT [2407173678:460184265047]
    :FORWARD ACCEPT [102:5966]
    :OUTPUT ACCEPT [3344802095:389192559739]
    :POSTROUTING ACCEPT [3344801377:389192518005]
    COMMIT
    # Completed on Mon Mar 18 20:54:02 2013
    # Generated by iptables-save v1.4.12 on Mon Mar 18 20:54:02 2013
    *filter
    :INPUT ACCEPT [68375:4249334]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [138979:9565871]
    :fail2ban-apache - [0:0]
    :fail2ban-dovecot - [0:0]
    :fail2ban-named-refused-tcp - [0:0]
    :fail2ban-named-refused-udp - [0:0]
    :fail2ban-postfix - [0:0]
    :fail2ban-proftpd - [0:0]
    :fail2ban-sasl - [0:0]
    :fail2ban-ssh - [0:0]
    -A FORWARD -d 192.168.122.0/24 -i eth0 -o tap0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
    -A FORWARD -d 192.168.122.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i tap0 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i tap0 -o eth0 -j ACCEPT
    COMMIT
    # Completed on Mon Mar 18 20:54:02 2013

    Whats my mistake?

  4. #4
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,414
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Qemu Networking eht0 -> tap0

    Is packet forwarding enabled? Example of how to check:
    Code:
    doug@doug-64:~/init$ cat /proc/sys/net/ipv4/ip_forward
    1
    You can set it from within a script running with root privilege with this:
    Code:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    There are other ways to set it, including using some "tee" from the command line, but I can never remember the other ways.

    Your tables are a bit odd, with repeated commands. I do not understand why there is a mangle table at all. I suppose the most important point is that I forgot the postrouting command in my previous post. You will need something like:
    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 93.186.xxx.xx
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  5. #5
    Join Date
    Mar 2013
    Beans
    7

    Re: Qemu Networking eht0 -> tap0

    Quote Originally Posted by Doug S View Post
    Is packet forwarding enabled? Example of how to check:
    Code:
    doug@doug-64:~/init$ cat /proc/sys/net/ipv4/ip_forward
    1
    It is enabled.
    Quote Originally Posted by Doug S View Post
    Your tables are a bit odd, with repeated commands.
    Thats only while i testing

    Quote Originally Posted by Doug S View Post
    I do not understand why there is a mangle table at all. I suppose the most important point is that I forgot the postrouting command in my previous post. You will need something like:
    Code:
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 93.186.xxx.xx
    I have only one IP also i want to redirect 93.186.xxx.xx:6422 to VM:22

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    1,414
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Qemu Networking eht0 -> tap0

    I have only one IP also i want to redirect 93.186.xxx.xx:6422 to VM:22
    That POSTROUTING command is needed for the other direction.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #7
    Join Date
    Mar 2013
    Beans
    7

    Re: Qemu Networking eht0 -> tap0

    No affect, no connect to Internet or Host

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •