Jaume Sabater
2006-Sep-09 17:02 UTC
[Xen-users] Can''t access the domU''s from the LAN (only from the dom0)
Hello everyone!
I am new to Xen and this is my first post in this list. I have a machine
with two network interfaces, eth0 and eth1. Eth0 is connected to the LAN
(192.168.1.0/24) and eth1 to my router (ip:80.36.214.x, gw:
80.36.214.y). This server is also acting as a proxy-cache:
# Transparent proxy
iptables --table nat --append PREROUTING --in-interface eth0 \
--source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
--proto tcp --dport 80 --jump REDIRECT --to-port 3128
# Activate Network Address Translation
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
--destination ! 192.168.0.0/24 --out-interface eth1 \
--jump MASQUERADE
As you may have already noticed, I also have a VPN between the two
subnets 192.168.0.0/24 and 192.168.1.0/24, and there are a few more
rules in the firewall in order to allow traffic apropriately.
So, I found out about Xen and said "this is great!", so here I am. I
have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid
(custom kernel with no modules at all, compiled using kernel-package). I
want to use Xen virtual machines only internally (as any other normal PC
inside the 192.168.1.0/24 network, but with no need to be accessed from
the Internet). So, I have created a virtual machine using the xen-tools
package provided by Steve[1].
[1] http://packages.debian.org/unstable/utils/xen-tools
These are the parameters of /etc/xen-tools/xen-tools.conf:
dir = /home/xen
debootstrap = 1
size = 2Gb
memory = 128Mb
swap = 256Mb
fs = ext3
dist = etch
image = sparse
gateway = 192.168.1.3
netmask = 255.255.255.0
passwd = 1
kernel = /boot/xen0-linux-2.6.16.19-xen
initrd mirror = http://ftp.se.debian.org/debian/
I created the image with this command:
xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd
The /etc/network/interfaces in the virtual machine (dom1):
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
gateway 192.168.1.3
netmask 255.255.255.0
The thing is that everything went fine:
- I can connect to the virtual machine from the host (192.168.1.3)
- I can connect to the Internet from inside the virtual machine.
But:
- I can''t ping the virtual machine 192.168.1.10 from any other PC in
the
192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination
Host Unreachable".
- I can''t ping any host in the 192.168.1.0/24 network from inside the
virtual machine 192.168.1.10. It does not complain, though.
I have set up /etc/xen/xend-config.sxp using:
(network-script network-route)
(vif-script vif-route)
Honestly, I don''t have any other reason to choose routing instead of
bridging except the fact that I tried for days and days with the
bridging thing and I could make it work, so I said "next try another
option".
When I was using bridging, I could ping from inside a VM to a PC, but
not from a PC to the VM. Again, I could really tell what was wrong (I am
not an expert with iptables, I admit it).
My firewall looks like this (short version):
BOF ----------------------------
iptables --policy INPUT DROP
iptables --append INPUT --in-interface ! eth1 --jump ACCEPT
iptables --append INPUT --match state --state ESTABLISHED,RELATED \
--jump ACCEPT
iptables --append INPUT --proto ICMP --jump ACCEPT
# SSH
iptables --append INPUT --proto tcp --match state --dport ssh \
--state NEW --source a.b.c.d --jump ACCEPT
# VPN
iptables --append INPUT --in-interface eth1 --proto udp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination ${VPN_SRC} --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto tcp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto ah \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto esp \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
# Transparent proxy
iptables --table nat --append PREROUTING --in-interface eth0 \
--source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
--proto tcp --dport 80 --jump REDIRECT --to-port 3128
# Activate Network Address Translation
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
--destination ! 192.168.0.0/24 --out-interface eth1 \
--jump MASQUERADE
EOF ----------------------------
80.36.x.y is the gateway in the machine (my end)
213.96.x.y is the gateway of the other end of the VPN
So, as far as I know, after reading as many docs as Google could provide
me with, I guess the problem is that traffic is not "routed" from the
eth0 to the vif. My ifconfig (summarized version) looks like this:
eth0 Link encap:Ethernet HWaddr ------
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr ------
inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255
Also, as a final note, when I was attempting to make it work by using
bridging, my server stopped forwarding connections from the LAN to the
Internet, so that was one more reason to try the "routed" setup. At
least now I can let people work while I try to finish up this setup and
don''t have to go to the office on Saturday :)
Any hints? If you need any more information, please let me know. Thanks
in advance.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Jaume Sabater
2006-Sep-11 10:55 UTC
[Xen-users] Can''t access the domU''s from the LAN (only from the dom0)
Hello everyone!
I have a machine with two network interfaces, eth0 and eth1. Eth0 is
connected to the LAN (192.168.1.0/24) and eth1 to my router
(ip:80.36.214.x, gw: 80.36.214.y). This server is acting as a
proxy-cache as well. I also have a VPN between the two
subnets 192.168.0.0/24 and 192.168.1.0/24.
I have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid
(custom kernel). I want to use Xen virtual machines only internally (as
any other normal PC inside the 192.168.1.0/24 network, but with no need
to be accessed from the Internet). So, I have created a virtual machine
using the xen-tools package provided by Steve:
[1] http://packages.debian.org/unstable/utils/xen-tools
These are the parameters of /etc/xen-tools/xen-tools.conf:
dir = /home/xen
debootstrap = 1
size = 2Gb
memory = 128Mb
swap = 256Mb
fs = ext3
dist = etch
image = sparse
gateway = 192.168.1.3
netmask = 255.255.255.0
passwd = 1
kernel = /boot/xen0-linux-2.6.16.19-xen
initrd mirror = http://ftp.se.debian.org/debian/
I created the image with this command:
xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd
The /etc/network/interfaces in the virtual machine (dom1):
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.10
gateway 192.168.1.3
netmask 255.255.255.0
Everything went fine:
- I can connect to the virtual machine from the host (192.168.1.3)
- I can connect to the Internet from inside the virtual machine.
But:
- I can''t ping the virtual machine 192.168.1.10 from any other PC in
the
192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination
Host Unreachable".
- I can''t ping any host in the 192.168.1.0/24 network from inside the
virtual machine 192.168.1.10. It does not complain, though.
I have set up /etc/xen/xend-config.sxp using:
(network-script network-route)
(vif-script vif-route)
Honestly, I don''t have any other reason to choose routing instead of
bridging except the fact that I tried for days and days with the
bridging thing and I could make it work, so I said "next try another
option".
When I was using bridging, I could ping from inside a VM to a PC, but
not from a PC to the VM. Again, I could really tell what was wrong (I am
not an expert with iptables, I admit it).
My firewall looks like this (short version):
BOF ----------------------------
iptables --policy INPUT DROP
iptables --append INPUT --in-interface ! eth1 --jump ACCEPT
iptables --append INPUT --match state --state ESTABLISHED,RELATED \
--jump ACCEPT
iptables --append INPUT --proto ICMP --jump ACCEPT
# SSH
iptables --append INPUT --proto tcp --match state --dport ssh \
--state NEW --source a.b.c.d --jump ACCEPT
# VPN
iptables --append INPUT --in-interface eth1 --proto udp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination ${VPN_SRC} --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto tcp \
--sport isakmp --dport isakmp --source 213.96.x.y \
--destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto ah \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
iptables --append INPUT --in-interface eth1 --proto esp \
--source 213.96.x.y --destination 80.36.x.y --jump ACCEPT
# Transparent proxy
iptables --table nat --append PREROUTING --in-interface eth0 \
--source 192.168.1.0/24 --destination ! 192.168.1.0/24 \
--proto tcp --dport 80 --jump REDIRECT --to-port 3128
# Activate Network Address Translation
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \
--destination ! 192.168.0.0/24 --out-interface eth1 \
--jump MASQUERADE
EOF ----------------------------
80.36.x.y is the gateway in the machine (my end)
213.96.x.y is the gateway of the other end of the VPN
So, as far as I know, after reading as many docs as Google could provide
me with, I guess the problem is that traffic is not "routed" from the
eth0 to the vif. My ifconfig (summarized version) looks like this:
eth0 Link encap:Ethernet HWaddr ------
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr ------
inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255
Also, as a final note, when I was attempting to make it work by using
bridging, my server stopped forwarding connections from the LAN to the
Internet, so that was one more reason to try the "routed" setup. At
least now I can let people work while I try to finish up this setup and
don''t have to go to the office on Saturday :)
Any hints? If you need any more information, please let me know. Thanks
in advance.
--
Jaume Sabater
http://linuxsilo.net/
"Ubi sapientas ibi libertas"
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Tim Post
2006-Sep-11 14:39 UTC
Re: [Xen-users] Can''t access the domU''s from the LAN (only from the dom0)
Try specifying a MAC address within the dom-u. Depending on the router you have and size of the network (looks large?) it could take from 10 - 90 seconds for the router to arp the new mac. Also don''t forget the brigde learning curve before you say ARG its not working :) HTH --Tim On Mon, 2006-09-11 at 12:55 +0200, Jaume Sabater wrote:> Hello everyone! > > I have a machine with two network interfaces, eth0 and eth1. Eth0 is > connected to the LAN (192.168.1.0/24) and eth1 to my router > (ip:80.36.214.x, gw: 80.36.214.y). This server is acting as a > proxy-cache as well. I also have a VPN between the two > subnets 192.168.0.0/24 and 192.168.1.0/24. > > I have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid > (custom kernel). I want to use Xen virtual machines only internally (as > any other normal PC inside the 192.168.1.0/24 network, but with no need > to be accessed from the Internet). So, I have created a virtual machine > using the xen-tools package provided by Steve: > > [1] http://packages.debian.org/unstable/utils/xen-tools > > These are the parameters of /etc/xen-tools/xen-tools.conf: > > dir = /home/xen > debootstrap = 1 > size = 2Gb > memory = 128Mb > swap = 256Mb > fs = ext3 > dist = etch > image = sparse > gateway = 192.168.1.3 > netmask = 255.255.255.0 > passwd = 1 > kernel = /boot/xen0-linux-2.6.16.19-xen > initrd > mirror = http://ftp.se.debian.org/debian/ > > I created the image with this command: > > xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd > > The /etc/network/interfaces in the virtual machine (dom1): > > auto lo > iface lo inet loopback > > auto eth0 > iface eth0 inet static > address 192.168.1.10 > gateway 192.168.1.3 > netmask 255.255.255.0 > > Everything went fine: > > - I can connect to the virtual machine from the host (192.168.1.3) > - I can connect to the Internet from inside the virtual machine. > > But: > > - I can''t ping the virtual machine 192.168.1.10 from any other PC in the > 192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination > Host Unreachable". > - I can''t ping any host in the 192.168.1.0/24 network from inside the > virtual machine 192.168.1.10. It does not complain, though. > > I have set up /etc/xen/xend-config.sxp using: > > (network-script network-route) > (vif-script vif-route) > > Honestly, I don''t have any other reason to choose routing instead of > bridging except the fact that I tried for days and days with the > bridging thing and I could make it work, so I said "next try another > option". > > When I was using bridging, I could ping from inside a VM to a PC, but > not from a PC to the VM. Again, I could really tell what was wrong (I am > not an expert with iptables, I admit it). > > My firewall looks like this (short version): > > BOF ---------------------------- > > iptables --policy INPUT DROP > iptables --append INPUT --in-interface ! eth1 --jump ACCEPT > iptables --append INPUT --match state --state ESTABLISHED,RELATED \ > --jump ACCEPT > iptables --append INPUT --proto ICMP --jump ACCEPT > > # SSH > iptables --append INPUT --proto tcp --match state --dport ssh \ > --state NEW --source a.b.c.d --jump ACCEPT > > # VPN > iptables --append INPUT --in-interface eth1 --proto udp \ > --sport isakmp --dport isakmp --source 213.96.x.y \ > --destination ${VPN_SRC} --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto tcp \ > --sport isakmp --dport isakmp --source 213.96.x.y \ > --destination 80.36.x.y --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto ah \ > --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT > iptables --append INPUT --in-interface eth1 --proto esp \ > --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT > > # Transparent proxy > iptables --table nat --append PREROUTING --in-interface eth0 \ > --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ > --proto tcp --dport 80 --jump REDIRECT --to-port 3128 > > # Activate Network Address Translation > /bin/echo "1" > /proc/sys/net/ipv4/ip_forward > iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \ > --destination ! 192.168.0.0/24 --out-interface eth1 \ > --jump MASQUERADE > > EOF ---------------------------- > > 80.36.x.y is the gateway in the machine (my end) > 213.96.x.y is the gateway of the other end of the VPN > > So, as far as I know, after reading as many docs as Google could provide > me with, I guess the problem is that traffic is not "routed" from the > eth0 to the vif. My ifconfig (summarized version) looks like this: > > eth0 Link encap:Ethernet HWaddr ------ > inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 > eth1 Link encap:Ethernet HWaddr ------ > inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224 > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255 > > Also, as a final note, when I was attempting to make it work by using > bridging, my server stopped forwarding connections from the LAN to the > Internet, so that was one more reason to try the "routed" setup. At > least now I can let people work while I try to finish up this setup and > don''t have to go to the office on Saturday :) > > Any hints? If you need any more information, please let me know. Thanks > in advance. >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Jaume Sabater
2006-Sep-12 13:48 UTC
Re: [Xen-users] Can''t access the domU''s from the LAN (only from the dom0)
Tim Post wrote:> Try specifying a MAC address within the dom-u. Depending on the router > you have and size of the network (looks large?) it could take from 10 - > 90 seconds for the router to arp the new mac.Hello, Tim. Thanks for your reply. As you suggested, I tried assigning a static MAC address, but nothing changed. I''ve been trying some firewall rules and, I don''t know exactly why/how, now I can ping from inside the VM (192.168.1.10) to my PC (192.168.1.190). NAT in my firewall looks like this now: /bin/echo "1" > /proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --source 192.168.1.10 \ --destination 192.168.1.190 --jump MASQUERADE iptables --table nat --append POSTROUTING --source 192.168.1.190 \ --destination 192.168.1.10 --jump MASQUERADE iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \ --destination ! 192.168.0.0/24 --out-interface eth1 \ --jump MASQUERADE As I said, I don''t exactly know how to tell iptables to forward the traffic from eth0 to vif1.0 and viceversa. I guess that, with those rules, now traffic from the VM can reach mi PC, thus ping works. But since vif1.0 has the IP address 192.168.1.3 (dom0''s local IP) instead of 192.168.1.10 (VM''s local IP), I guess mi PC don''t know where to go when I tell him to ping 192.168.1.10. Any hints? Thanks in advance. P.S. Should vif1.0 have 192.168.1.3 or should it have 192.168.1.10?>> I have a machine with two network interfaces, eth0 and eth1. Eth0 is >> connected to the LAN (192.168.1.0/24) and eth1 to my router >> (ip:80.36.214.x, gw: 80.36.214.y). This server is acting as a >> proxy-cache as well. I also have a VPN between the two >> subnets 192.168.0.0/24 and 192.168.1.0/24. >> >> I have a running kernel 2.6.16.19 with Xen 3.0.2 on a Debian x86_64 Sid >> (custom kernel). I want to use Xen virtual machines only internally (as >> any other normal PC inside the 192.168.1.0/24 network, but with no need >> to be accessed from the Internet). So, I have created a virtual machine >> using the xen-tools package provided by Steve: >> >> [1] http://packages.debian.org/unstable/utils/xen-tools >> >> These are the parameters of /etc/xen-tools/xen-tools.conf: >> >> dir = /home/xen >> debootstrap = 1 >> size = 2Gb >> memory = 128Mb >> swap = 256Mb >> fs = ext3 >> dist = etch >> image = sparse >> gateway = 192.168.1.3 >> netmask = 255.255.255.0 >> passwd = 1 >> kernel = /boot/xen0-linux-2.6.16.19-xen >> initrd >> mirror = http://ftp.se.debian.org/debian/ >> >> I created the image with this command: >> >> xen-create-image --hostname=xen01 --ip=192.168.1.10 --passwd >> >> The /etc/network/interfaces in the virtual machine (dom1): >> >> auto lo >> iface lo inet loopback >> >> auto eth0 >> iface eth0 inet static >> address 192.168.1.10 >> gateway 192.168.1.3 >> netmask 255.255.255.0 >> >> Everything went fine: >> >> - I can connect to the virtual machine from the host (192.168.1.3) >> - I can connect to the Internet from inside the virtual machine. >> >> But: >> >> - I can''t ping the virtual machine 192.168.1.10 from any other PC in the >> 192.168.1.0/24 network (but the host 192.168.1.3). It says "Destination >> Host Unreachable". >> - I can''t ping any host in the 192.168.1.0/24 network from inside the >> virtual machine 192.168.1.10. It does not complain, though. >> >> I have set up /etc/xen/xend-config.sxp using: >> >> (network-script network-route) >> (vif-script vif-route) >> >> Honestly, I don''t have any other reason to choose routing instead of >> bridging except the fact that I tried for days and days with the >> bridging thing and I could make it work, so I said "next try another >> option". >> >> When I was using bridging, I could ping from inside a VM to a PC, but >> not from a PC to the VM. Again, I could really tell what was wrong (I am >> not an expert with iptables, I admit it). >> >> My firewall looks like this (short version): >> >> BOF ---------------------------- >> >> iptables --policy INPUT DROP >> iptables --append INPUT --in-interface ! eth1 --jump ACCEPT >> iptables --append INPUT --match state --state ESTABLISHED,RELATED \ >> --jump ACCEPT >> iptables --append INPUT --proto ICMP --jump ACCEPT >> >> # SSH >> iptables --append INPUT --proto tcp --match state --dport ssh \ >> --state NEW --source a.b.c.d --jump ACCEPT >> >> # VPN >> iptables --append INPUT --in-interface eth1 --proto udp \ >> --sport isakmp --dport isakmp --source 213.96.x.y \ >> --destination ${VPN_SRC} --jump ACCEPT >> iptables --append INPUT --in-interface eth1 --proto tcp \ >> --sport isakmp --dport isakmp --source 213.96.x.y \ >> --destination 80.36.x.y --jump ACCEPT >> iptables --append INPUT --in-interface eth1 --proto ah \ >> --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT >> iptables --append INPUT --in-interface eth1 --proto esp \ >> --source 213.96.x.y --destination 80.36.x.y --jump ACCEPT >> >> # Transparent proxy >> iptables --table nat --append PREROUTING --in-interface eth0 \ >> --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ >> --proto tcp --dport 80 --jump REDIRECT --to-port 3128 >> >> # Activate Network Address Translation >> /bin/echo "1" > /proc/sys/net/ipv4/ip_forward >> iptables --table nat --append POSTROUTING --source 192.168.1.0/24 \ >> --destination ! 192.168.0.0/24 --out-interface eth1 \ >> --jump MASQUERADE >> >> EOF ---------------------------- >> >> 80.36.x.y is the gateway in the machine (my end) >> 213.96.x.y is the gateway of the other end of the VPN >> >> So, as far as I know, after reading as many docs as Google could provide >> me with, I guess the problem is that traffic is not "routed" from the >> eth0 to the vif. My ifconfig (summarized version) looks like this: >> >> eth0 Link encap:Ethernet HWaddr ------ >> inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0 >> eth1 Link encap:Ethernet HWaddr ------ >> inet addr:80.36.x.y Bcast:80.36.214.191 Mask:255.255.255.224 >> lo Link encap:Local Loopback >> inet addr:127.0.0.1 Mask:255.0.0.0 >> vif3.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF >> inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.255 >> >> Also, as a final note, when I was attempting to make it work by using >> bridging, my server stopped forwarding connections from the LAN to the >> Internet, so that was one more reason to try the "routed" setup. At >> least now I can let people work while I try to finish up this setup and >> don''t have to go to the office on Saturday :) >> >> Any hints? If you need any more information, please let me know. Thanks >> in advance.-- Jaume Sabater http://linuxsilo.net/ "Ubi sapientas ibi libertas" _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users