How to NAT through iptables for LVS server private to public

Issues related to configuring your network
Post Reply
yapu
Posts: 1
Joined: 2014/10/31 21:15:36

How to NAT through iptables for LVS server private to public

Post by yapu » 2014/11/06 08:09:21

I have configured LVS server with piranha in centos 5.10. I have two interfaces which is eth0 and eth1.

eth0 10.64.1.41 private ip
eth0:1 10.64.1.44 ( NAT Gateway for two Application servers)
eth0:2 10.64.1.45 (LVS VIP)

eth1 212.154.xx.xx (public ip configured by ISP)

Both the interfaces are in seperate VLAN and the LVS is configured with NAT mode. i belive the LVS works for private vlan which i have confirmed with "nc -vl 1625".

[root@application-server1 ~]# nc -vl 1625
Connection from 10.64.1.41 port 1625 [tcp/svs-omagent] accepted
Hello

In this case when i start the application its listing on port 1625 on application-server1 and i have confirmed with

[root@application-server1 ~]# nmap -p10-1630 10.64.1.42 (application-server1)
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
709/tcp open entrustmanager
1625/tcp open unknown

I belive the LVS works fine and the errors are not showing on LVS log /var/log/messages. It looks good and from outside world if i telnet public ip with port

[root@localhost ~] telnet 212.154.xx.xx 1625
Trying 212.154.xx.xx...
telnet: Unable to connect to remote host: Connection refused
[root@localhost ~]

In this case how do i NAT public to private vice versa,

I have tried the NAT Private to Public vice versa

# Generated by iptables-save v1.3.5 on Wed Nov 5 23:16:28 2014
*nat
:PREROUTING ACCEPT [251:17996]
:POSTROUTING ACCEPT [584:44767]
:OUTPUT ACCEPT [585:43859]
-A PREROUTING -s 212.154.xx.xx -i eth1 -p tcp -m tcp --sport 1625 --dport 1625 -j DNAT --to-destination 10.64.1.45:1625
-A POSTROUTING -o eth1 -p tcp -j SNAT --to-source 212.154.xx.xx:1625
COMMIT
# Completed on Wed Nov 5 23:16:28 2014
# Generated by iptables-save v1.3.5 on Wed Nov 5 23:16:28 2014
*filter
:INPUT ACCEPT [1506:146591]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2444:319464]
-A INPUT -d 212.154.xx.xx -i eth1 -p tcp -m tcp --sport 1625 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 10.64.1.45 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1625 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22,21,80,1625 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.64.1.45 -i eth1 -o eth0 -p tcp -m tcp --dport 1625 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65335 --dport 1625 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 10.64.1.45 -o eth0 -p tcp -m tcp --sport 1625 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 22,21,80,1625 -j ACCEPT
COMMIT
# Completed on Wed Nov 5 23:16:28 2014

Can suggest how the traffice goes out and in.

Post Reply