Hi, I''m struggling with my iptables configuration since I''ve installed Xen. Before, I had the host/dom0 doing port forwarding with: iptables -t nat -A PREROUTING -p tcp -i eth0 -d $PUBLIC_IP \ --dport 80 -j DNAT --to 192.168.0.190 That worked like a charm. After installing and starting Xen, I found out eth0 became peth0 and being bridged in xenbr0. That''s all fine and documented. So I thought I could just alter the incomming interface from eth0 to xenbr0 in the above port forwarding rule: iptables -t nat -A PREROUTING -p tcp -i xenbr0 -d $PUBLIC_IP \ --dport 80 -j DNAT --to 192.168.0.190 But that doesn''t work anymore. The rule''s packet counter counts up when sending a packet to port 80, but it does not make it into the FORWARD table of iptables. Does xenbr0 block this packet somehow? I''ve been reading about ebtables, but only got some C source examples. Help greatly appreciated. Regards Markus _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi, in the Shorewall Xen FAQ at [1] I''m reading the following: "I know of no case where a user has successfully used NAT (including Masquerade) in a bridged Xen Dom0. So if you want to create a masquerading firewall/gateway using Xen, you need to do so in a DomU (see how I did it) or you must configure Xen to use routing or NAT rather than the default bridging." Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I configure Xen to not do that and just provide me a tap device I can route / bridge however I want, like qemu does? Regards Markus [1]: http://www.shorewall.net/Xen.html Markus Schiltknecht wrote:> Hi, > > I''m struggling with my iptables configuration since I''ve installed Xen. > Before, I had the host/dom0 doing port forwarding with: > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d $PUBLIC_IP \ > --dport 80 -j DNAT --to 192.168.0.190 > > That worked like a charm. After installing and starting Xen, I found out > eth0 became peth0 and being bridged in xenbr0. That''s all fine and > documented. So I thought I could just alter the incomming interface from > eth0 to xenbr0 in the above port forwarding rule: > > iptables -t nat -A PREROUTING -p tcp -i xenbr0 -d $PUBLIC_IP \ > --dport 80 -j DNAT --to 192.168.0.190 > > But that doesn''t work anymore. The rule''s packet counter counts up when > sending a packet to port 80, but it does not make it into the FORWARD > table of iptables. > > Does xenbr0 block this packet somehow? I''ve been reading about ebtables, > but only got some C source examples. > > Help greatly appreciated. > > Regards > > Markus > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 11/16/06 07:22, Markus Schiltknecht wrote:> Hi, > > in the Shorewall Xen FAQ at [1] I''m reading the following: > > "I know of no case where a user has successfully used NAT (including > Masquerade) in a bridged Xen Dom0. So if you want to create a > masquerading firewall/gateway using Xen, you need to do so in a DomU > (see how I did it) or you must configure Xen to use routing or NAT > rather than the default bridging." > > Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I > configure Xen to not do that and just provide me a tap device I can > route / bridge however I want, like qemu does?http://lists.xensource.com/archives/html/xen-users/2006-09/msg00925.html (the HTML code wrapped the following line, which should be a single line: mac=${mac:-$(awk ''BEGIN { printf "00:16:3e:%02x:%02x:%02x", int(rand()*127), int(rand()*255), int(rand()*255); }'')} Once you have the network-private set up, you can route and do whatever in dom0 you like. veth0 is the adapter to the private network between dom0 and domUs, and eth0 (or whatever) is the external. This script really gets out of your way, so all the configuration of forwarding and such can be done outside xen. John _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > http://lists.xensource.com/archives/html/xen-users/2006-09/msg00925.html > > (the HTML code wrapped the following line, which should be a single line: > mac=${mac:-$(awk ''BEGIN { printf "00:16:3e:%02x:%02x:%02x", > int(rand()*127), > int(rand()*255), int(rand()*255); }'')} > > Once you have the network-private set up, you can route and do whatever > in dom0 you like. veth0 is the adapter to the private network between > dom0 and domUs, and eth0 (or whatever) is the external. > > This script really gets out of your way, so all the configuration of > forwarding and such can be done outside xen.i''m trying this script but i can''t find a way to access the network from the DomU''s. with no iptables'' rules i can ping the domU''s from dom0 and vice-versa, but if i try to NAT the domU''s (with the attached script) everyone stops seeing each other. any hints? thanks, francesco here''s the mini-nat script, eth0 is the external iface on dom0: #!/usr/bin/env iptables-restore *filter :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i veth0 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users