Virtualisation/Openvz NAT

De GeRgOsNet

Voici un petit script à placer dans /etc/network/if-up.d/ si vous voulez faire du NAT .


#!/bin/sh

### BEGIN INIT INFO
# Provides:          openvz-nat
# Required-Start:    $network
# Required-Stop:     $network 
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: OpenVZ-NAT
# Description:       Active le NAT et le firewall
### END INIT INFO 

# Vider les tables actuelles
iptables -t filter -F 

# Vider les règles personnelles
iptables -t filter -X 

# Interdire toute connexion entrante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT

# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autoriser loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT


####    Début NAT       ####

# Active l'ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# NAT VM subnet to external ip
iptables -t nat -A POSTROUTING -s 192.168.12.0/24 -o eth0 -j SNAT --to 195.154.122.187

# Allow all traffic for venet0 interface
iptables -A INPUT -i venet0 -j ACCEPT


# CT2 - Web
# SSH CT2 (port 2222)
iptables -t nat -I PREROUTING -p tcp -d 195.154.122.187 --dport 2222 -j DNAT --to 192.168.12.40:22
iptables -I FORWARD -p tcp -d 192.168.12.40 --dport 2222
# HTTP
iptables -t nat -I PREROUTING -p tcp -d 195.154.122.187 --dport 80 -j DNAT --to 192.168.12.40:80
iptables -I FORWARD -p tcp -d 192.168.12.40 --dport 80
# HTTPS
iptables -t nat -I PREROUTING -p tcp -d 195.154.122.187 --dport 443 -j DNAT --to 192.168.12.40:443
iptables -I FORWARD -p tcp -d 192.168.12.40 --dport 443