Shorewall users - Dec 2007 - DNAT in routed Xen Dom0?

I''m trying to build a Xen system where each domU on the box will offer
a different network service, but they''ll all appear from the outside to
be a single host on my LAN.

I''ve set up a routed Xen configuration, with the dom0 as a router to a
separate IP subnet containing the domU''s.  My plan was to use a simple
Shorewall configuration on dom0 to direct incoming traffic on different
ports to different domU''s using DNAT.

However, I''m running into trouble with a simple test configuration
(with just one domU, running an Apache server).  DNAT simply doesn''t
seem to work at all.  When I try to connect to HTTP on the dom0 from
elsewhere on my LAN, the connection is not being DNAT''ed to the domU
running my Apache server; rather, the HTTP request is being serviced
by me dom0 (I''m getting a test page served up by micro-httpd, which I
installed on dom0 for testing purposes).

Is there some special trick to getting DNAT to work in dom0 in a routed
Xen configuration?  Or would I be better off forgetting the whole idea
and running Shorewall in another domU, instead of in dom0?

I''m using Ubuntu 7.10, Xen 3.1 (kernel 2.6.22-14-xen), and Shorewall
4.0.6.  I''ve tried both shorewall-perl (4.0.6-3) and shorewall-shell.
I''ll post more details of my configuration if necessary, though
I''m
hoping that my question will turn out to be elementary enough not to
require too much detail.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Rich Wales wrote:
> Is there some special trick to getting DNAT to work in dom0 in a routed
> Xen configuration?
Not that I can see. I set up a quick test here and it seemed to work fine.
> Or would I be better off forgetting the whole idea
> and running Shorewall in another domU, instead of in dom0?
> I''m
> hoping that my question will turn out to be elementary enough not to
> require too much detail.
I''m afraid that we''re going to have to see the details.

-Tom

PS -- I won''t be able to look at this until after Christmas.
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

It appears that my earlier problem with getting DNAT to work on the
new Xen system I''m putting together may have been due to my not fully
appreciating the implications of enabling OPTIMIZE in shorewall.conf.

I turned off OPTIMIZE, and my problem went away.

-- 
Rich Wales      ===      Palo Alto, CA, USA      ===     richw@richw.org
http://www.richw.org   ===   http://en.wikipedia.org/wiki/User:Richwales

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/