0

I'm on a cloud service and I'm trying to set up NAT between two VM. I've never experienced issues in this simple step, but this time is different and I'm near to give up.

The first VM had two interfaces:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:dc:0d:77  
          inet addr:95.141.xx.xx  Bcast:95.141.xx.255  Mask:255.255.254.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:705379 errors:0 dropped:19373 overruns:0 frame:0
          TX packets:495549 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 

eth1      Link encap:Ethernet  HWaddr 00:16:3e:29:27:84  
          inet addr:192.168.100.20  Bcast:192.168.103.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:643381 errors:0 dropped:18631 overruns:0 frame:0
          TX packets:513203 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000

it runs a bind9, a varnish caching server, etc.

root@varnish:/etc/bind# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> www.google.com
Server:     127.0.0.1
Address:    127.0.0.1#53
Non-authoritative answer:
Name:   www.google.com
Address: 74.125.225.81

iptables for a simple MASQUERADE is configured with this script:

/sbin/iptables -t nat -F ; /sbin/iptables -F
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD 1 -i eth1 -j ACCEPT
iptables -I FORWARD 1 -o eth0 -j ACCEPT

and I can ping the VM2:

root@varnish:~# ping 192.168.100.18
PING 192.168.100.18 (192.168.100.18) 56(84) bytes of data.
64 bytes from 192.168.100.18: icmp_seq=1 ttl=64 time=0.444 ms

on the other side we have another VM, with only one interface:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:aa:6f:04  
          inet addr:192.168.100.18  Bcast:192.168.103.255  Mask:255.255.252.0

and the right routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.100.20  0.0.0.0         UG    0      0        0 eth0
192.168.100.0   *               255.255.252.0   U     0      0        0 eth0
root@nginx1:~#

when I try to ping the world from vm2:

root@nginx1:~# ping www.google.it
PING www.google.it (74.125.225.87) 56(84) bytes of data.
^C
--- www.google.it ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 0ms

and, tcpdump on vm1 only shows the DNS request, no packets are received (neither dropped by kernel, which remains at 0) by the gateway vm for the ICMP request to www.google.it.

on vm2 the DNS ip in resolv.conf is obviously 192.168.100.20, which is vm1

different scenario if I just try to ping the gateway:

root@nginx1:~# ping 192.168.100.20
PING 192.168.100.20 (192.168.100.20) 56(84) bytes of data.
64 bytes from 192.168.100.20: icmp_seq=1 ttl=64 time=0.388 ms
64 bytes from 192.168.100.20: icmp_seq=2 ttl=64 time=0.921 ms

I've asked the cloud hoster if any filter is applied, they said is not a fault by their side, and no filters are applied.

Any help is very appreciated.

JonSnow
  • 1
  • 1
  • Against which interface did you run `tcpdump` on vm1? What is the routing table in vm1? Does `ping www.google.it` work on vm1? – Tero Kilkanen Jun 28 '14 at 13:06
  • Do you see the packets from vm2 hitting vm1 at all? I'm referring to the traffic on the 192.168.100.20 IP, not necessarily vm1's public interface. – devicenull Jun 30 '14 at 01:43

0 Answers0