Andrew Hendrik Bootsma wrote: > Hi Guys; > > I recently setup a server with a main ip of x.x.x.x and a subnet which I > have bridged to an internal qtap0 adapter. > My current iptables setup however blocks all traffic of the subnet, and > when I allow the subnet; > iptables -I FORWARD -s 213.133.127.0/29 -j ACCEPT > iptables -I INPUT -s 213.133.127.0/29 -j ACCEPT > It still continues to block all traffic to it; any ideas? I am fairly > newbish with iptables. > > Andrew Bootsma > > So I think you're saying you've got a virtual machine on qtap0 inside a physical machine with for argument's sake eth0 as it's physical interface. Is this what you're saying? Or is qtap0 something like an ethernet going to some other internal LAN? Doesn't matter greatly for this discussion.
[LAN/WAN/Internet?] | | [[eth0 x.x.x.x] [ | [ | [[qtap0] 213.133.127.y] [ [physical machine] Firstly... `cat /proc/sys/net/ipv4/ip_forward` should result in '1' being displayed. If not you need to adjust your /etc/sysctl.conf and then reload it with `sysctl -p`. This is the master switch that says your host is actually a router as well. Secondly, and I suppose you've already done this, check that you can ping the virtual from the host and that you can ping the host from the virtual. If not, get that working first. Next if the outside world has an appropriate route to your subnet (it appears to) that's great. If not you'll have to NAT it's traffic coming out of eth0 with something like `iptables -t nat -A POSTROUTING -s 213.133.127.0/29 -j MASQUERADE` which will translate everything to your x.x.x.x address somewhat defeat the purpose of the /29 net but it'll work. Next failing that you'll have to supply more information like what x.x.x.x is, your routing table, your iptables setup. `iptables -t filter -L -n -v` and `iptables -t nat -L -n -v` and some examples of the output of tcpdump on eth0 and qtap0 concurrently. EG `tcpdump -n -i eth0 icmp` in one terminal and `tcpdump -n -i qtap0 icmp` in another terminal. Then pings from your virtual machine to a known IP address (avoiding DNS lookup). -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
