Hi all I set up a debian sarge box with XEN 3.0 and LVM at my ISP. dom0 has a range of public IPs. As long as I used bridged networking to the VMs, everything worked fined, I could access all VMs by their IP . Then I switched in /etc/xen/xend-config.sxp to private virtal domU network with NAT : (network-script network-nat) (vif-script vif-nat) and gave the VMs IPs in the 10.0.0.x range and I set on dom0 the follwing NAT rule for SSH access do a VM in domU iptables -A PREROUTING -t nat -p tcp -i eth0 -d 72.232.68.66 --dport 9641 -j DNAT --to-destination 10.0.0.1:22 Now I can''t access the VM from outside anymore, SSH Client to 72.232.68.66:9641 keeps hanging. However I can ping the VMs in domU from dom0 and vice versa and also ping a VM form another VM. I do not have setup any addtional iptables rules. The filter rules generted by the XEN scripts produced the following (iptables -L): Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif6.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Chain OUTPUT (policy ACCEPT) target prot opt source destination And the NAT rules I get: target prot opt source destination DNAT tcp -- anywhere 66.68.232.72.reverse.layeredtech.com tcp dpt:9641 to:10.0.0.1:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Has anybody a clue what is missing to get the NAT working ? I had the impression that private NATted Network with XEN 3.0 is supposed to work out of the box when using the XEN provided scripts, so there must be somthing I am doing stupidly wrong ! regards -- Roberto Saccon _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, I am using nat in XEN 3.0.1 and it works. I have one dom0 and one domU, but I think it will work for more domUs, too. I have a iptables-script, that runs on every bootup: ========== SNIP =========#!/bin/bash ipt=/sbin/iptables extip=72.232.68.66 $ipt -F -t nat $ipt -F $ipt -P FORWARD ACCEPT $ipt -P INPUT ACCEPT $ipt -P OUTPUT ACCEPT echo "1" > /proc/sys/net/ipv4/ip_forward # SSH $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3 # FTP $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3 # FTP-Passive Ports $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3 $ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE ========== SNAP ========= That''s it. If you want to change the destination port (i.e. --to 10.0.0.3:22), I think it will work, too. Important are the lines -> echo "1" ... ans -> ... MASQUERADE So any network traffic to outside is possible and inbound traffic for the specified ports. This script has a further function: The lines beginning with "$ipt -F" will first delete all existing rules and then overwrite with the new ones. So you can upgrade your script with a further rule (or delete a rule) and run it without any connection loss. ----- Original Message ----- From: Roberto Saccon To: xen-users@lists.xensource.com Sent: Saturday, April 22, 2006 3:22 AM Subject: [Xen-users] can''t get NAT to a VM on domU working Hi all I set up a debian sarge box with XEN 3.0 and LVM at my ISP. dom0 has a range of public IPs. As long as I used bridged networking to the VMs, everything worked fined, I could access all VMs by their IP . Then I switched in /etc/xen/xend-config.sxp to private virtal domU network with NAT : (network-script network-nat) (vif-script vif-nat) and gave the VMs IPs in the 10.0.0.x rangeand I set on dom0 the follwing NAT rule for SSH access do a VM in domUiptables -A PREROUTING -t nat -p tcp -i eth0 -d 72.232.68.66 --dport 9641 -j DNAT --to-destination 10.0.0.1:22 Now I can''t access the VM from outside anymore, SSH Client to 72.232.68.66 :9641 keeps hanging. However I can ping the VMs in domU from dom0 and vice versa and also ping a VM form another VM. I do not have setup any addtional iptables rules. The filter rules generted by the XEN scripts produced the following (iptables -L): Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif6.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Chain OUTPUT (policy ACCEPT) target prot opt source destination And the NAT rules I get: target prot opt source destination DNAT tcp -- anywhere 66.68.232.72.reverse.layeredtech.com tcp dpt:9641 to:10.0.0.1:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Has anybody a clue what is missing to get the NAT working ? I had the impression that private NATted Network with XEN 3.0 is supposed to work out of the box when using the XEN provided scripts, so there must be somthing I am doing stupidly wrong ! regards -- Roberto Saccon ------------------------------------------------------------------------------ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Roberto Saccon
2006-Apr-23 05:13 UTC
Re: [Xen-users] can''t get NAT to a VM on domU working
I tried the script, but it still doesn''t work, no idea why. But there
are
some packet flowing in both direcition when I snoop at the interface with
tcpdump:
Client
--------
C:\Projects\workspace\test>ssh -p 9641 myuser@72.232.68
=====> nothing happens, no login prompt
Server
---------
debian:/etc/network/if-up.d# tcpdump port 9641
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:11:22.558334 IP 20118084046.host.telemar.net.br.3642 >
66.68.232.72.reverse.layeredtech.com.9641: S 527634138:527634138(0) win
65535 <mss 1440,nop,nop,sackOK>
17:11:22.559186 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: S 2147392498:2147392498(0) ack
527634139 win 5840 <mss 1460,nop,nop,sackOK>
17:11:22.773303 IP 20118084046.host.telemar.net.br.3642 >
66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535
17:11:22.774534 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:11:25.010308 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 2122373579:2122373620(41) ack
1463730555 win 5840
17:11:25.770312 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:11:30.340289 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 2106317302:2106317343(41) ack
140188642 win 5840
17:11:31.960354 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:11:43.960327 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:11:49.010266 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:12:07.960289 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:12:18.340358 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 0:41(41) ack 1 win 5840
17:12:37.010319 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:12:56.110370 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:13:54.340304 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 0:41(41) ack 1 win 5840
17:14:13.010326 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:14:32.110316 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:15:54.340321 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 0:41(41) ack 1 win 5840
17:16:14.330375 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:16:32.110332 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:17:54.340333 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 0:41(41) ack 1 win 5840
17:18:14.330306 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:18:32.340359 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:19:54.340350 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: P 0:41(41) ack 1 win 5840
17:20:14.330319 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: P 0:41(41) ack 1 win 5840
17:20:32.340377 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: P 1:42(41) ack 1 win 5840
17:20:45.220777 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3640: F 41:41(0) ack 1 win 5840
17:21:04.020812 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3641: F 41:41(0) ack 1 win 5840
17:21:22.880758 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: F 42:42(0) ack 1 win 5840
17:21:23.160310 IP 20118084046.host.telemar.net.br.3642 >
66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535 <nop,nop,sack
sack 1 {42:43} >
19:21:23.715914 IP 20118084046.host.telemar.net.br.3642 >
66.68.232.72.reverse.layeredtech.com.9641: . 0:1(1) ack 1 win 65535
19:21:23.729781 IP 66.68.232.72.reverse.layeredtech.com.9641 >
20118084046.host.telemar.net.br.3642: R 2147392499:2147392499(0) win 0
=====> manually stopping the tcpdump
32 packets captured
32 packets received by filter
0 packets dropped by kernel
anybody any clue what is misssing ?
--
Roberto Saccon
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
The XEN-Script I am using. But only to switch to nat.
I did only overwrite the firewall rules. It works without them. But security
isn''t the important thing in my configuration, because in my dom0
won''t run any services.
Greets,
Hardy
----- Original Message -----
From: Roberto Saccon
To: Hardy Wolf
Sent: Saturday, April 22, 2006 8:51 PM
Subject: Re: [Xen-users] can''t get NAT to a VM on domU working
Thanks Hardy, I will give your scritpt a try. However I have one question: Did
you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all or did
you just overwrite their firewall rules ?
regards
Roberto
On 4/22/06, Hardy Wolf < hardy@wolfundreimer.de> wrote:
Hi,
I am using nat in XEN 3.0.1 and it works.
I have one dom0 and one domU, but I think it will work for more domUs, too.
I have a iptables-script, that runs on every bootup:
========== SNIP ========= #!/bin/bash
ipt=/sbin/iptables
extip=72.232.68.66
$ipt -F -t nat
$ipt -F
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
# SSH
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3
# FTP
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3
# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to
10.0.0.3
$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
========== SNAP =========
That''s it.
If you want to change the destination port (i.e. --to 10.0.0.3:22), I think
it will work, too.
Important are the lines
-> echo "1" ...
ans
-> ... MASQUERADE
So any network traffic to outside is possible and inbound traffic for the
specified ports.
This script has a further function: The lines beginning with "$ipt
-F" will first delete all existing rules and then overwrite with the new
ones. So you can upgrade your script with a further rule (or delete a rule) and
run it without any connection loss.
--
Roberto Saccon
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Roberto Saccon
2006-Apr-28 19:02 UTC
Re: [Xen-users] can''t get NAT to a VM on domU working
SOLVED I also had corrupt tcp checksum. "ethtool -K eth0 tx off" did the trick (currently mentioned in various other threads) On 4/23/06, Hardy Wolf <hardy@wolfundreimer.de> wrote:> > The XEN-Script I am using. But only to switch to nat. > I did only overwrite the firewall rules. It works without them. But > security isn''t the important thing in my configuration, because in my dom0 > won''t run any services. > > Greets, > Hardy > > ----- Original Message ----- > *From:* Roberto Saccon <rsaccon@gmail.com> > *To:* Hardy Wolf <hardy@wolfundreimer.de> > *Sent:* Saturday, April 22, 2006 8:51 PM > *Subject:* Re: [Xen-users] can''t get NAT to a VM on domU working > > Thanks Hardy, I will give your scritpt a try. However I have one question: > Did you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all > or did you just overwrite their firewall rules ? > > regards > Roberto > > > On 4/22/06, Hardy Wolf < hardy@wolfundreimer.de> wrote: > > > > Hi, > > > > I am using nat in XEN 3.0.1 and it works. > > I have one dom0 and one domU, but I think it will work for more domUs, > > too. > > > > I have a iptables-script, that runs on every bootup: > > > > > > ========== SNIP =========> > #!/bin/bash > > ipt=/sbin/iptables > > > > extip=72.232.68.66 > > > > $ipt -F -t nat > > $ipt -F > > $ipt -P FORWARD ACCEPT > > $ipt -P INPUT ACCEPT > > $ipt -P OUTPUT ACCEPT > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > # SSH > > $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to > > 10.0.0.3 > > # FTP > > $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to > > 10.0.0.3 > > # FTP-Passive Ports > > $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT > > --to 10.0.0.3 > > > > $ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE > > ========== SNAP =========> > > > That''s it. > > > > If you want to change the destination port (i.e. --to 10.0.0.3:22), I > > think it will work, too. > > > > Important are the lines > > -> echo "1" ... > > ans > > -> ... MASQUERADE > > > > So any network traffic to outside is possible and inbound traffic for > > the specified ports. > > > > This script has a further function: The lines beginning with "$ipt -F" > > will first delete all existing rules and then overwrite with the new ones. > > So you can upgrade your script with a further rule (or delete a rule) and > > run it without any connection loss. > > > > > > -- > Roberto Saccon > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > >-- Roberto Saccon _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users