# qemu bridge to local net, local net natting to wan

## blubberbaer

Dear forum,

mmmm this is wracking my mind. I wan't to achieve the following thing

```

 -----------------------------------------------

| HOST                                          |

|                                               | 

|                       NAT                     |

|    eth0  <--------------------- >   eth1      |

|      |                                |       | 

|      |                     bridge     |       |

|      |      Virt. Guest <--------     |

|      |                                |       |

|      |                                |       |

-----  |------------------------------  |----

       |                                |

      WAN                            local net

```

On the host  I would like to run a samba ADDC. It is already up and running. A samba fileshare-server should run on the Virt. Guest. This is a recommendation I've found in the Samba Wiki.

What I did achieve is the following.

1) The Samba ADDC is up and running.

2) The Samba ADDC serves only the local net.

3) The natting between eth1 and eth0 is up and running.

    Right now eth0 is my wlan0 interface, but it will be replaced by an eth0 interface.

4) The local net clients do have access to the wan via natting.

4) I've installed a qemu virtual machine.

And now the trouble starts. I was able to set up a bridge between the Virtual Guest and the eth1 interface. The Virtual Guest was able to talk to the host (ping, ssh). The bridge interface got the IP which formerly belonged to eth1 interface. The Samba ADDC could still talk to my localnet clients and vice versa. One thing is not working: natting between my bridge interface and my wan interface. I've followed the gentoo home route guide  https://wiki.gentoo.org/wiki/Home_router to set up the natting between eth0 and eth1 without the bridge interface. Since the bridge interface now gets the ip of my eth1 interface, I thought it would be as simple as setting up the iptables rules for natting between the br0 and eth0 interface .

But this didn't work

Here comes some code. This is my network config without my VirtualGuest

net.conf

```

modules_wlan0="wpa_supplicant"

wpa_supplicant_wlan0=""

config_wlan0="dhcp"

dhcpcd_wlan0="-t 20 -n --nohook ntp.conf --nohook resolv.conf --nohook hostname"

config_eth1="10.20.40.254 netmask 255.255.255.0"

routes_eth1="10.20.40.0/24 via 10.20.40.254"

#wird in die /etc/resolv.conf geschrieben

#dns_servers_eth1="10.20.40.254"

#dns_search_eth0="xx.yyyy"

```

enable_natting_script

```

#!/bin/bash

  

/etc/init.d/iptables stop

# Zuerst löschen wir unsere aktuellen Regeln

iptables -F

iptables -t nat -F

#Richten Sie das Standardverhalten für Pakete ein, auf die keine Regel

#zutrifft

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#Kopieren Sie diese Beispiele ...

export LAN=eth1

export WAN=wlan0

NET="10.20.40.0/255.255.255.0"

#ntp 

iptables -A INPUT -p udp -m udp --dport 123 -j ACCEPT

#Dann schränken wir unsere Dienste so ein, dass sie nur im LAN arbeiten

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

#(Optional) Erlauben Sie den Zugriff auf unseren SSH-Server aus dem WAN

iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

#(Optional) ntp weiterleitung

iptables -A OUTPUT -p udp -m udp --sport 123 -j ACCEPT

#(Optional) ntp weiterleitung

iptables -I FORWARD -p udp -m udp --dport 123 -j ACCEPT

# Werfen Sie TCP/UDP-Pakete für privilegierte Ports weg

iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

#Schlussendlich fügen wir NAT-Regeln hinzu

iptables -I FORWARD -i ${LAN} -d "${NET}" -j DROP

iptables -A FORWARD -i ${LAN} -s "${NET}" -j ACCEPT

iptables -A FORWARD -i ${WAN} -d "${NET}" -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Sagen Sie dem Kernel, dass IP-Forwarding in Ordnung ist

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

```

The question is, how do I integrate the VirtualGuest OS running my Samba Fileserver in my network, which is served by eth1 interface ...... ?

Many many thanks in advance,

blubberbaer

----------

