How to use iptables to forward all data from an IP to a Virtual Machine
- by jro
OK, in an attempt to get some response, a TL;DR version. I know that the following command:
iptables -A PREROUTING -t nat -i eth0 --dport 80 --source 1.1.1.1 -j REDIRECT --to-port 8080
... will redirect all traffic from port 80 to port 8080. The problem is that I have to do this for every port that is to be redirected. To be future-proof, I want all ports for an IP to be redirected to a different (internal) IP, so that if one might decide to enable SSH, they can directly connect without worrying about iptables.
What is needed to reliable forward all traffic from an external IP, to an internal IP, and vice versa?
Extended version
I've scoured the internet for this, but I never got a solid answer. What I have is one physical server (HOST), with several virtual machines (VM) that need traffic redirected to them. Just getting it to work with a single machine is enough for now.
The VM's run under VirtualBox, and are set to use a host-only adapter (vboxnet0). Everything seems to work, but it is greatly lagging. Both the host (CentOS 5.6) and the guest (Ubuntu 10.04) machine are running Linux.
What I did was the following:
Configure the VM to have a static IP in the network of the vboxnet0 adapter.
Add an IP alias to the host, registering to the dedicated (outside) IP.
Setup iptables to allow traffic to come through (via sysctl).
Configure iptables to DNAT and SNAT data from a given IP address to the internal address.
iptables commands:
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
iptables -t nat -I PREROUTING -d $OUT_IP -I eth0 -j DNAT --to-destination $IN_IP
iptables -t nat -I POSTROUTING -s $IN_IP -o eth0 -j SNAT --to-source $OUT_IP
Now the site works, but is really, really slow. I'm hoping I missed something simple, but I'm out of ideas for now.
Some background info: before this, the site was working with basic port forwarding. E.g. port 80 was mapped to port 8080 using iptables. In VirtualBox (having the network adapter configured as NAT), a port forwarding the other way around made things work beautifully. The problem was twofold: first, multiple ports needed to be forwarded (for admin interfaces, https, ssh, etc). Second, it only allowed one IP address to use port 80.
To resolve things, multiple external IP addresses are used for different (sub)domains. Likewise, the "VirtualBox" network will contain the virtual machines:
DNS Ext. IP Adapter VM "VirtalBox" IP
------------------------------------------------------------------
a.example.com 1.1.1.1 eth0:1 vm_guest_1 192.168.56.1
b.example.com 2.2.2.2 eth0:2 vm_guest_2 192.168.56.2
c.example.com 3.3.3.3 eth0:3 vm_guest_3 192.168.56.3
And so on. Put simply, the goal is to channel all traffic from a.example.com to vm_guest_1 (of put differently, from 1.1.1.1 to 192.168.56.1). And achieve this with an acceptable speed :).
