Iptables – Forward traffic into docker container/VM

dockeriptablesnetworkingvirtualbox

I have a pretty beefy machine at my disposal running Ubuntu 16.04 Server. It's running several docker containers and virtual machines (using VirtualBox) referred to as VMs hereafter. At the moment the host has assigned one IP address (say, 192.168.1.10) and the services on the VMs are accessed by NATing (e.g. 192.168.1.10:80 -> 172.17.0.2:80), which is unsatisfactory.
Instead, I'd like to bind multiple IP addresses (say, 192.168.1.100-110) to the hosts interface and forward the traffic hitting the additional IP addresses into the VMs. Which results in a mapping <public IP> <--> <private IP>.

I've been able to accomplish this first part by adding
[...] up ip addr add 192.168.1.1xx/24 dev ens3 label ens3:0 down ip addr del 192.168.1.1xx/24 dev ens3 label ens3:0 [...]
entries into my /etc/network/interfaces file (where ens3 obviously is the name of the host network interface). That means the additional IP addresses are up an running.

But the second part causes me headaches. So far I've only considered iptables based solutions, as it seems most appropriate and all guides I've read so far used it also.
So what I did was activating IP forwarding by adding net.ipv4.ip_forward=1 to /etc/sysctl.conf.

Then, I issued the following commands to do the forwarding:
iptables -t nat -A POSTROUTING -d 172.17.0.2 -j SNAT --to-source 192.168.1.100 iptables -t nat -A PREROUTING -d 192.168.1.100 -j DNAT --to-destination 172.17.0.2
172.17.0.2 is the private IP of one of the VMs. It's running a webserver at port 8000. telnet 172.17.0.2 8000 establishes a connections, which tells me that the webserver is running. But telnet 192.168.1.100 8000 doesn't work.
Almost all tutorials on iptables deal with forwarding one port or a range of ports but there are only few that deal with all the traffic on an interface.
Can anyone spot my mistake? Or does anyone have good advice for alternative tools that get the job done?

Best Answer

Your NAT rule should work:

iptables -t nat -A PREROUTING -d 192.168.1.100 -j DNAT --to-destination 172.17.0.2

However, you need to add another rule if you are requesting some service from the same machine (locally):

iptables -t nat -A OUTPUT -d 192.168.1.100 -j DNAT --to-destination 172.17.0.2

The NAT rule can be applied to specific port(s) of specific protocol or to all protocols and ports (as the case here).

Related Solutions

Iptables / bridge / NAT setup

We do something quite similar here. 3 subnets behind a CentOS5 "router". Basically we just have iptables set to the follow 'nat' table rule:

iptables -t nat -A POSTROUTING -o <external NIC device> -j SNAT --to-source <external interface IP>

In our case, device is eth1 and the IP is 10.0.0.2 to differentiate from the Class C IP4 subnets we're still using here.

The real work is done by the routing table. If your NICs are configured properly, the routing table entries should already exist.

For instance, we have these two subnets in the routing table:

192.168.16.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.13.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2

But the external traffic is handled by the default gateway line:

0.0.0.0         10.0.0.10       0.0.0.0         UG    0      0        0 eth1

And traffic coming back in through the NAT is tracked by the netfilter module in the kernel and sent to its originating IP by the 'State RELATED,ESTABLISHED' line in the regular chain FORWARD in iptables:

 158M  168G ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  8M   11G ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

(Note: Any neckbeard want to correct errors in this, please pop in a comment. I'd love to hear a critique.)

OpenVPN Port Forwarding – How to Forward Ports Through OpenVPN

It's because the OUTPUT chain only acts on packets originating from a local process. (See this useful image here.)

If you replace (or supplement if you still want to connect form the gateway) that rule with:

iptables -t nat -A PREROUTING -p tcp --dport 3306 -j DNAT --to 10.8.0.51

And, if you haven't already allowed for the traffic:

iptables -t filter -A FORWARD -p tcp -d 10.8.0.51 --dport 3306 -j ACCEPT

Then your connection should go through. Since it's already working form the gateway, you can be sure MySQL is listening correctly and that its server is accepting the connection.

However, I question whether you actually need NAT at all. Routing alone should handle this, with the appropriate FORWARD rule. That routing can be established manually or through the VPN server config, it depends on your requirements. If you want to look at this option, can you add your openvpn server configuration and the output of route -n to your post?

EDIT

To ensure the connection routes back over the VPN, you'll need a route to your LAN from the server. To add this manually on the MySQL Server:

route add -net 192.168.1.0/24 dev tun0 (if tun0 is your VPN client interface).

If it works, it's better to add this to your VPN client config: route 192.168.1.0/24 (This will automatically create the route on connection, regardless of the tunnel interface or the PPP endpoint addresses being used)

A useful debugging tip: tcpdump -i tun0 -qtln port 3306 on the server will show you the mysql traffic going through the VPN adaptors (client or server). You should be able to see where the connection handshaking is going awry.

Best Answer

Related Solutions

Iptables / bridge / NAT setup

OpenVPN Port Forwarding – How to Forward Ports Through OpenVPN

Related Topic