Hi! I want to forward the port 3389 from the domU to the virtual server with ip address 192.168.122.77 with not success... I tried a lot of iptables rules with no luck so far. Is this possible? I take a look at other post and I don''t found an answer. By example: /sbin/iptables -t nat -A PREROUTING -p tcp -i xenbr0 --dport 3389 -j DNAT --to 192.168.122.77:3389 the virtual nic for the VM es vif9.0... Anyone? Best regards, Gerardo -- View this message in context: http://www.nabble.com/XEN-bridge-mode-tp23449187p23449187.html Sent from the Xen - User mailing list archive at Nabble.com. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Fri, May 8, 2009 at 11:25 PM, Codecr <gerardo@flecharoja.com> wrote:> > Hi! > > I want to forward the port 3389 from the domU to the virtual server with ip > address 192.168.122.77 with not success... > > I tried a lot of iptables rules with no luck so far. Is this possible? Iyes.> take a look at other post and I don''t found an answer. > > By example: > /sbin/iptables -t nat -A PREROUTING -p tcp -i xenbr0 --dport 3389 -j DNAT > --to 192.168.122.77:3389 > > the virtual nic for the VM es vif9.0...Is your dom0 ip address on xenbr0 or eth0? Looks like you have libvirtd running (possibly on RHEL/Centos), in which case the IP will be on eth0. If that''s the case try changing the rule to /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d dom0_ip_address --dport 3389 -j DNAT --to 192.168.122.77:3389 and if your default rule is reject you need to add an ACCEPT rule on FORWARD chain as well. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi!!
Thanks for your comments:
I am running a RHEL 5, and I use those two rules.
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 196.40.23.216 --dport
3389 -j DNAT --to 192.168.122.77:3389
/sbin/iptables -A FORWARD -i eth0 -p tcp --dport 3389 -d 192.168.122.77 -j
ACCEPT
but I''ve no luck so far....
I''ve more info....
the iptables is:
Chain INPUT (policy ACCEPT 1542M packets, 600G bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif9.0
7 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0
192.168.122.77 tcp dpt:3389
Chain OUTPUT (policy ACCEPT 1538M packets, 612G bytes)
num pkts bytes target prot opt in out source
destination
Table nat
Chain PREROUTING (policy ACCEPT 5510K packets, 630M bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 DNAT tcp -- eth0 * 0.0.0.0/0
196.40.23.216 tcp dpt:3389 to:192.168.122.77:3389
Chain POSTROUTING (policy ACCEPT 1175K packets, 72M bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 MASQUERADE all -- * * 192.168.122.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1175K packets, 72M bytes)
num pkts bytes target prot opt in out source
destination
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:1D:09:70:4E:2E
inet addr:196.40.23.216 Bcast:196.40.23.223 Mask:255.255.255.224
inet6 addr: fe80::21d:9ff:fe70:4e2e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19564532 errors:0 dropped:0 overruns:0 frame:0
TX packets:7798769 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1915162929 (1.7 GiB) TX bytes:574385308 (547.7 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1530415797 errors:0 dropped:0 overruns:0 frame:0
TX packets:1530415797 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2080638239 (1.9 GiB) TX bytes:2080638239 (1.9 GiB)
peth0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:21278172 errors:0 dropped:0 overruns:0 frame:0
TX packets:15726841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2242573788 (2.0 GiB) TX bytes:1153167404 (1.0 GiB)
Interrupt:18 Memory:ec000000-ec012100
vif9.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
virbr0 Link encap:Ethernet HWaddr 16:07:69:34:51:3A
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:66645 errors:0 dropped:0 overruns:0 frame:0
TX packets:77148 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7803463 (7.4 MiB) TX bytes:84417139 (80.5 MiB)
xenbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:7851715 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:565473624 (539.2 MiB) TX bytes:0 (0.0 b)
Fajar A. Nugraha-3 wrote:>
> On Fri, May 8, 2009 at 11:25 PM, Codecr <gerardo@flecharoja.com>
wrote:
>>
>> Hi!
>>
>> I want to forward the port 3389 from the domU to the virtual server
with
>> ip
>> address 192.168.122.77 with not success...
>>
>> I tried a lot of iptables rules with no luck so far. Is this possible?
I
>
> yes.
>
>> take a look at other post and I don''t found an answer.
>>
>> By example:
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i xenbr0 --dport 3389 -j
>> DNAT
>> --to 192.168.122.77:3389
>>
>> the virtual nic for the VM es vif9.0...
>
> Is your dom0 ip address on xenbr0 or eth0?
> Looks like you have libvirtd running (possibly on RHEL/Centos), in
> which case the IP will be on eth0. If that''s the case try changing
the
> rule to
>
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d dom0_ip_address
> --dport 3389 -j DNAT --to 192.168.122.77:3389
>
> and if your default rule is reject you need to add an ACCEPT rule on
> FORWARD chain as well.
>
> Regards,
>
> Fajar
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>
--
View this message in context:
http://www.nabble.com/XEN-bridge-mode-tp23449187p23454056.html
Sent from the Xen - User mailing list archive at Nabble.com.
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
On Sat, May 9, 2009 at 4:33 AM, Codecr <gerardo@flecharoja.com> wrote:> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 196.40.23.216 --dport > 3389 -j DNAT --to 192.168.122.77:3389 >It should work. Perhaps you have firewall on Windows? AFAIK it''s activated by default on XP. Can you connect to domU''s port 3389 from dom0? If all failed, a workaround is to use tcp proxy like "balance" http://www.inlab.de/balance.html http://dag.wieers.com/rpm/packages/balance/ Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi!
Yes, I can access the port 3389, I did a telnet 192.168.122.77 3389 and
works fine!!
The XEN is running in bridge mode, not nat mode.
The physical server has an external public Ip address at eth0. I did a clean
for all the rules and I got:
Table filter
Chain INPUT (policy ACCEPT 1974M packets, 772G bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
2 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:67
4 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0
0.0.0.0/0
4 0 0 REJECT all -- * virbr0 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif9.0
Chain OUTPUT (policy ACCEPT 1970M packets, 784G bytes)
num pkts bytes target prot opt in out source
destination
Table nat
Chain PREROUTING (policy ACCEPT 6995K packets, 817M bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1510K packets, 92M bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 MASQUERADE all -- * * 192.168.122.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1510K packets, 92M bytes)
num pkts bytes target prot opt in out source
destination
and the network-bridge reports
/etc/xen/scripts/network-bridge status
===========================================================7: eth0:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether 00:1d:09:70:4e:2e brd ff:ff:ff:ff:ff:ff
inet 196.40.23.216/27 brd 196.40.23.223 scope global eth0
inet6 fe80::21d:9ff:fe70:4e2e/64 scope link
valid_lft forever preferred_lft forever
14: xenbr0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue
link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
bridge name bridge id STP enabled interfaces
virbr0 8000.16076934513a yes vif9.0
tap0
xenbr0 8000.feffffffffff no peth0
vif0.0
196.40.23.192/27 dev eth0 proto kernel scope link src 196.40.23.216
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 196.40.23.220 dev eth0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
196.40.23.192 0.0.0.0 255.255.255.224 U 0 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0
virbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 196.40.23.220 0.0.0.0 UG 0 0 0 eth0
brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.16076934513a yes vif9.0
tap0
xenbr0 8000.feffffffffff no peth0
vif0.0
I will try, as my last option, the balance.
Thanks a lot for all the support!! Any other info will be welcome!!
Gerardo
Fajar A. Nugraha-3 wrote:>
> On Sat, May 9, 2009 at 4:33 AM, Codecr <gerardo@flecharoja.com>
wrote:
>> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d 196.40.23.216
>> --dport
>> 3389 -j DNAT --to 192.168.122.77:3389
>>
>
> It should work. Perhaps you have firewall on Windows? AFAIK it''s
> activated by default on XP.
> Can you connect to domU''s port 3389 from dom0?
>
> If all failed, a workaround is to use tcp proxy like "balance"
> http://www.inlab.de/balance.html
> http://dag.wieers.com/rpm/packages/balance/
>
> Regards,
>
> Fajar
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
>
--
View this message in context:
http://www.nabble.com/XEN-bridge-mode-tp23449187p23531859.html
Sent from the Xen - User mailing list archive at Nabble.com.
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
Apparently Analagous Threads
- http problem with (a particular url) and default (nat) networking
- guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- Re: guest A from virbr0 can talk to guest B in virbr1 but not vice versa
- unable to ping from guests in virbr0 to guests in virbr1 network
- Inconsistent iptables forwarding rules for virtual networks?