My server has several public IPs, and is running a bunch of virtual machines with private IP adresses.
As an example, I want to map ports 80, 443 and 8080 on 232.21.23.23 (public) to 192.168.122.12 (private). I have tried a couple of different NAT mappings, but none of them seem to work:
# This doesn't work.
DNAT net loc:192.168.122.12 tcp 80,443,8080 - 232.21.23.23
# Neither does this.
DNAT $FW loc:192.168.122.12 tcp 80,443,8080 - 232.21.23.23
# Nor this.
DNAT net:232.21.23.23 loc:192.168.122.12 tcp 80,443,8080
# I have no idea what I'm doing.
DNAT $FW:232.21.23.23 loc:192.168.122.12 tcp 80,443,8080
Can anyone point me in the right direction?
Your first rule is correct:
So the problem must lie elsewhere. You can see the underlying iptables rules created with this:
NATed packets still need to traverse the FORWARD chain and be accepted. Try adding the following rule to accept traffic to the VMs on these ports:
As an additional comment to the previous answers, make sure the order in which you place rules.
Example:
Let's say you configured your rules like this:
If you wanna get to 172.17.20.47 on port 80, you will always end up in 172.17.20.25 because the destination address is the default 0.0.0.0.
So if you wanna get to 172.17.20.47 trough public ip address 200.x.y.z, you should modify the order of the rules:
Or modifiy the default address of the first rule.
I hope it helps!