Theo Cabrerizo Diem
2006-Oct-12 13:32 UTC
[Xen-users] One more NAT problem (not tranversing POSTROUTING)
Hello there, aka: plleaasse help ;) Idea : All Xen VMs connects to xen-br bridge (which also dom0 is part of). If they need access to outside (veth1 on dom0), dom0 does nat''ing. The eth-br bridge is like a DMZ section, which I can plug my VMs which provides services to outside world (but not in use yet) Setup : - Debian Linux unstable, xen unstable packages; - one real ethernet card in the workstation; custom network scripts - I don''t rename any interface, so eth0 is the real one, veth* are the virtual ones on dom0, which backs to vif0.*; - module netloop nsloopback=2 - bridge eth-br, ports : eth0 vif0.0 - bridge xen-br, ports : vif0.1 + domU vif''s workstation setup is ok, I run dhclient on veth0, works perfectly (default route goes through this interface), fixed ip on veth1 for access to Xen VMs Problem : ''iptables -t nat -A POSTROUTING -o veth0 -j MASQUERADE'' doesn''t work as expected to NAT traffic from VMs :( If I send a ping request to the outside world, I can see the icmp request going through all interfaces, but completely unchanged (no nat done). I saw earlier references in the archives to add a ''iptables -t raw -A PREROUTING -i xen-br -j NOTRACK'' to avoid connection tracking when the packet is coming from vif3.0 to vif0.1 but this didn''t help. -- detailed part -- IP list : dom0 veth0 -> 10.1.1.71 dom0 veth1 -> 192.168.235.1 dom0 default route via 10.1.1.254 domU eth0 -> 192.168.235.103 domU default route via 192.168.235.1 I''ve set LOG targets on iptables (dom0 of course), on every chain to see which chains the packet is transversing and get a better ideia. this is the result when sending a ping request from domU to 200.221.11.98 : 1: table RAW / PREROUTING IN=xen-br OUT PHYSIN=vif3.0 SRC=192.168.235.1 DST=200.221.11.98 2: table NAT / PREROUTING IN=xen-br OUT PHYSIN=vif3.0 SRC=192.168.235.1 DST=200.221.11.98 3: table FILTER / FORWARD IN=xen-br OUT=xen-br PHYSIN=vif3.0 PHYSOUT=vif0.1 SRC=192.168.235.1 DST=200.221.11.98 4: table NAT / POSTROUTING IN= OUT=xen-br PHYSIN=vif3.0 PHYSOUT=vif0.1 SRC=192.168.235.1 DST=200.221.11.98 5: table FILTER / FORWARD IN=veth1 OUT=veth0 PHYSIN=vif3.0 PHYSOUT=vif0.1 SRC=192.168.235.1 DST=200.221.11.98 6: table RAW / PREROUTING IN=eth-br OUT PHYSIN=vif0.0 SRC=192.168.235.1 DST=200.221.11.98 7: table FILTER / FORWARD IN=eth-br OUT=eth-br PHYSIN=vif0.0 PHYSOUT=eth0 SRC=192.168.235.1 DST=200.221.11.98 If I add the suggested NOTRACK stuff, the only difference is I don''t see lines 2 and 4. I can see in the /proc/net/ip_conntrack the icmp entry in the conntrack table, but no NAT occours :( # cat /proc/net/ip_conntrack | grep icmp icmp 1 25 src=192.168.235.103 dst=200.221.11.98 type=8 code=0 id=59140 packets=1 bytes=84 [UNREPLIED] src=200.221.1 1.98 dst=192.168.235.103 type=0 code=0 id=59140 packets=0 bytes=0 mark=0 use=1 my iptables setup : * all policies ACCEPT * -j LOG on every chain (with proper log-prefix to tell which is which) * -t nat -A POSTROUTING -o veth0 -j MASQUERADE Any idea ? :''( Cheers, Theo Diem _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users