I've decided to try FIWARE Lab and I've decided to test the cloud. Here, I can create up to 3 VMs and I can have one (and only one) public IP. The first question it comes to my mind is "How am I supposed to access 3 Virtual Hosts with just a single public IP?". But thinking about it more closely, the question turns to be "Do I really need more public IPs to do my project?" -- I don't think so.
To do my testing application, I've deployed 3 VMs and I've allocated one public IP:
- 10.0.3.214 - which is going to be my frontend and the one with the public IP associated
- 10.0.4.146
- 10.0.4.145
The obvious way.
I can access 10.0.4.145 and 10.0.4.146 just by ssh connecting to the first one and from this host, I can ssh the other two VM. Easy even with a single command:$ssh -t root@<public_ip>
$sst -t root@
Easy, really easy... but that isn't what I was thinking of.
Redirections
A single redirection using IPTABLES would do a the trick very good. However, we'll need to create the security rules in openstack. I've created an insecure security group with absolutely open security groups:
This rules are, by definition, insecure. I should protect my Virtual machine by myself and I shouldn't expect any protection from Openstack. But I can do whatever I want with the ports. So now we are ready to type the following commands in my Virtual Host with a public IP:
$echo "1" > /proc/sys/net/ipv4/ip_forward
$iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp -m tcp --dport 20022 \
-j DNAT --to-destination 10.0.4.145:22
$iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp -m tcp --dport 30022 \
-j DNAT --to-destination 10.0.4.146:22
$iptables -t nat -A POSTROUTING ! -s 10.0.3.214/32 -d 10.0.4.145 -j MASQUERADE
$iptables -t nat -A POSTROUTING ! -s 10.0.3.214/32 -d 10.0.4.146 -j MASQUERADE
And now I am able to access the Virtual hosts with private IPs using ssh:
ssh root@ -p 20022
ssh root@ -p 30022
And now I am able to access the Virtual hosts with private IPs using ssh:
ssh root@
...And how can I access my Database?
If you are absolutely possitive that you want to access your database from anywhere in Internet (I'm possitive I don't want that for my databases), you can simply add a new redirection.
Lets Imagine that I have a MySQL database on 10.0.4.146 -- I could simply add a rule to IP tables:
$ iptables -t nat -A PREROUTING -d 10.0.3.214/32 -p tcp \
-m tcp --dport 3306 -j DNAT --to-destination 10.0.4.146:3306
-m tcp --dport 3306 -j DNAT --to-destination 10.0.4.146:3306
And now we have our fully vulnerable MySQL server accesible from the whole internet.
