0

I'm trying to set up a network like this:

Network map

...but I'm facing an issue.

Here's the point:

If I try to reach (e.g.) mywebsite1.com from external it works like a charm and it's shown my wonderful website but whenever I try to run (e.g.) apt-get update from inside the Virtual Server 2 it throws an error like "Failed to connect to xxx-whatever-website.com port 80: connection refused".

The problem is solved if I delete the prerouting rule on the main server firewall (down below its configuration) but, of course, then I'm not more able to connect to mywebsite1.com from external. Same story if I change the Virtual Server default gateway to 192.168.1.1.

I naively tried to add a static route on the main server (something like ip route add 192.168.1.1 via 192.168.1.32) but, of course, it didn't work. Should I try to mark the packets in some way or something, in order to recognize the source client?

Physical Server (192.168.1.30) Firewall configuration

Note: all chains have ACCEPT as default policy

*nat
-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
-A PREROUTING -p tcp -m tcp -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.1.32:80
KaMZaTa
  • 103
  • 4
  • Are all your servers on one flat lan? or is "server" acting as a router? – Peter Green Nov 13 '18 at 20:07
  • Yes, the main physical server (192.168.1.30) is acting as router for port 80. It's a flat LAN. The main router (192.168.1.1, facing the network) expose the only one physical server (192.168.1.30) which use its Nat table to route the port 80 on the Virtual Server 1 which works as reverse proxy for the Virtual servers 2, 3, 4. – KaMZaTa Nov 13 '18 at 20:31

1 Answers1

1

Your provlem is your dnat rule has no destination address filter on it, you need to add '-d 192.168.1.30' to the rule.

Peter Green
  • 4,211
  • 12
  • 30
  • What do you mean exactly? As shown in the image, the DNAT destination address is set to 192.168.1.32:80 in the rule. – KaMZaTa Nov 13 '18 at 20:59
  • Now I got you, sorry. I wrongly thought _-d_ was a simply shortening of _--to-destination_ option instead it's the option to set the original destination target. Since I didn't specify that, my rule hit all destination targets. Now I set it like this: `-A PREROUTING -p tcp -m tcp -d 192.168.1.30 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.1.32:80` and it works flawless. You are right, thanks. – KaMZaTa Nov 14 '18 at 04:09