On Tue, 2013-06-18 at 06:13 -0700, srawilliams wrote:> Hi,
>
> I have a ubuntu 12.04 Xen host with a bridge network
>
> ----------
> # This file describes the network interfaces available on your system
> # and how to activate them. For more information, see interfaces(5).
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> allow-hotplug eth0
> iface eth0 inet manual
>
> auto xenbr0
> iface xenbr0 inet static
> bridge_ports eth0
> address 172.29.213.104
> netmask 255.255.255.128
> gateway 172.29.213.1
> dns-nameservers 8.8.8.8
> ------
>
> Because of firewall restrictions i have to SNAT or masquerade to the host,
> which i do on the xenbr0 bridge.
>
> iptables -t nat -A POSTROUTING -o xenbr0 -j MASQUERADE
Is this your entire firewall configuration?
> I also have ipforwarding set on the host
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.eth0.proxy_arp = 1
>
> This works fine. My guests can see the world, however everything routed to
> the guests from the world gets the ip address of Xenbr0.
Where/how are things routed to the guest? Do you have DNAT firewall
rules or are you just talking about things which are "replies" to
outgoing connections established by the guest?
Are you saying that the source IP address of the datagrams arriving at
the guest is always 172.29.213.104 rather than the IP address of the
remote server you are talking to?
> I am presuming
> because requests in to those guest go via xenbr0 which changes the source
on
> the way to the guest.
>
> I have tied taking off the postrouting form xenbr0 and tried both SNAT and
> MASQUERADE on eth0 but this does not work.
>
> Please help. I don''t have enough knowledge to figure out a
solution.
You seem to be using a "brouter" type configuration, which is rather
advanced (I don''t really understand the ins and outs myself). You might
have more luck doing a more standard NAT type thing.
There''s some more info on NAT and brouters linked from
http://wiki.xen.org/wiki/Xen_Networking
Ian.