Xen users - Jul 2008 - NET Network / Server running on internal Network not reachable

Hi all, since several days I try to get NAT networking to work, which is  
driving my nuts... I don''t know what to do anymore. Maybe some expert
have
a good tip for me. I have ready almost anything about this topic and  
tested most stuff, but still no luck.

I want to run a web-server on a DomU. Hence I used the normal NAT setup  
 from xen.

Current setup & situation

1. DomO can access the internet
2. Dom0 can access the DomU
3. DomU (10.0.0.1) can access the internet
4. DomU can access Dom0

What''s not working is that I can''t reach the web-server
running on DomU.

IFCONFIG Output

eth0      Link encap:Ethernet  HWaddr 00:11:6b:94:d8:ea
           inet addr:87.118.120.16  Bcast:87.118.120.255  Mask:255.255.255.0
           inet6 addr: fe80::211:6bff:fe94:d8ea/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:60115200 errors:0 dropped:0 overruns:0 frame:0
           TX packets:188967 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:1572915748 (1.4 GB)  TX bytes:21158242 (20.1 MB)

lo        Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:14 errors:0 dropped:0 overruns:0 frame:0
           TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:700 (700.0 B)  TX bytes:700 (700.0 B)

peth0     Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
           RX packets:69824162 errors:7 dropped:41 overruns:2 frame:0
           TX packets:190910 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:611060332 (582.7 MB)  TX bytes:21628510 (20.6 MB)
           Interrupt:21 Base address:0xc00

vif0.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
           RX packets:188967 errors:0 dropped:0 overruns:0 frame:0
           TX packets:60115201 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:21158242 (20.1 MB)  TX bytes:1572915818 (1.4 GB)

vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
           inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:684 errors:0 dropped:0 overruns:0 frame:0
           TX packets:694 errors:0 dropped:3 overruns:0 carrier:0
           collisions:0 txqueuelen:32
           RX bytes:43145 (42.1 KB)  TX bytes:131433 (128.3 KB)

xenbr0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
           RX packets:7385822 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:460560761 (439.2 MB)  TX bytes:0 (0.0 B)


BRCTL Output

bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                         peth0


IPTABLES -L -t nat Output

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             eisxen              tcp dpt:www  
to:10.0.0.1:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here I want to forward all traffic coming in for the external IP address  
(eisxen) to 10.0.0.1:10


IPTABLES -L Output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.1            tcp dpt:www
ACCEPT     all  --  10.0.0.1             anywhere            PHYSDEV match  
--physdev-in vif2.0
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV match  
--physdev-in vif2.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here the idea is that everything going to 10.0.0.1:80 is accepted.


ROUTE -n Output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use  
Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0  
vif2.0
87.118.120.0    0.0.0.0         255.255.255.0   U     0      0        0  
eth0
0.0.0.0         87.118.120.1    0.0.0.0         UG    100    0        0  
eth0


I can see HTTP request packets coming to my server.

tcpdump -i peth0 host 87.118.120.16 and port 80

tcpdump: WARNING: peth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on peth0, link-type EN10MB (Ethernet), capture size 68 bytes
21:02:08.669661 IP i59F4B4BF.versanet.de.37269 > eisxen.www: S  
3736050736:3736050736(0) win 64000 <mss 1402,nop,wscale  
0,nop,nop,timestamp[|tcp]>


But than nothing happens. Everything hangs. Nothing is forwarded/routed to  
10.0.0.1:80

I hope anyone can tell me what the problem is or what I should try to get  
it to work.

Thanks a lot.

-- 
Robert M. Münch
http://www.robertmuench.de

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Robert,
    I banged my head on this as well once, but having changed direction 
on the network design I am not 100% sure of the solution/workaround.
If I am not wrong you could try and assign an IP address to the xenbr0 
interface and handle DNAT from the bridge or use a lower level filtering 
like ebtables or iptables physdev module.
I''ll have a dig on my notes and let you know if I find something more 
accurate.
cheers
Massimo

Robert M. Münch wrote:
> Hi all, since several days I try to get NAT networking to work, which 
> is driving my nuts... I don''t know what to do anymore. Maybe some 
> expert have a good tip for me. I have ready almost anything about this 
> topic and tested most stuff, but still no luck.
>
> I want to run a web-server on a DomU. Hence I used the normal NAT 
> setup from xen.
>
> Current setup & situation
>
> 1. DomO can access the internet
> 2. Dom0 can access the DomU
> 3. DomU (10.0.0.1) can access the internet
> 4. DomU can access Dom0
>
> What''s not working is that I can''t reach the web-server
running on DomU.
>
> IFCONFIG Output
>
> eth0      Link encap:Ethernet  HWaddr 00:11:6b:94:d8:ea
>           inet addr:87.118.120.16  Bcast:87.118.120.255  
> Mask:255.255.255.0
>           inet6 addr: fe80::211:6bff:fe94:d8ea/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:60115200 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:188967 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1572915748 (1.4 GB)  TX bytes:21158242 (20.1 MB)
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:14 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:700 (700.0 B)  TX bytes:700 (700.0 B)
>
> peth0     Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>           RX packets:69824162 errors:7 dropped:41 overruns:2 frame:0
>           TX packets:190910 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:611060332 (582.7 MB)  TX bytes:21628510 (20.6 MB)
>           Interrupt:21 Base address:0xc00
>
> vif0.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>           RX packets:188967 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:60115201 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:21158242 (20.1 MB)  TX bytes:1572915818 (1.4 GB)
>
> vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
>           inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:684 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:694 errors:0 dropped:3 overruns:0 carrier:0
>           collisions:0 txqueuelen:32
>           RX bytes:43145 (42.1 KB)  TX bytes:131433 (128.3 KB)
>
> xenbr0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>           UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>           RX packets:7385822 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:460560761 (439.2 MB)  TX bytes:0 (0.0 B)
>
>
> BRCTL Output
>
> bridge name     bridge id               STP enabled     interfaces
> xenbr0          8000.feffffffffff       no              vif0.0
>                                                         peth0
>
>
> IPTABLES -L -t nat Output
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             eisxen              tcp 
> dpt:www to:10.0.0.1:80
>
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Here I want to forward all traffic coming in for the external IP 
> address (eisxen) to 10.0.0.1:10
>
>
> IPTABLES -L Output
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             10.0.0.1            tcp dpt:www
> ACCEPT     all  --  10.0.0.1             anywhere            PHYSDEV 
> match --physdev-in vif2.0
> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV 
> match --physdev-in vif2.0 udp spt:bootpc dpt:bootps
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Here the idea is that everything going to 10.0.0.1:80 is accepted.
>
>
> ROUTE -n Output
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    
> Use Iface
> 10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        
> 0 vif2.0
> 87.118.120.0    0.0.0.0         255.255.255.0   U     0      0        
> 0 eth0
> 0.0.0.0         87.118.120.1    0.0.0.0         UG    100    0        
> 0 eth0
>
>
> I can see HTTP request packets coming to my server.
>
> tcpdump -i peth0 host 87.118.120.16 and port 80
>
> tcpdump: WARNING: peth0: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode
> listening on peth0, link-type EN10MB (Ethernet), capture size 68 bytes
> 21:02:08.669661 IP i59F4B4BF.versanet.de.37269 > eisxen.www: S 
> 3736050736:3736050736(0) win 64000 <mss 1402,nop,wscale 
> 0,nop,nop,timestamp[|tcp]>
>
>
> But than nothing happens. Everything hangs. Nothing is 
> forwarded/routed to 10.0.0.1:80
>
> I hope anyone can tell me what the problem is or what I should try to 
> get it to work.
>
> Thanks a lot.
>

-- 
Massimo Mongardini
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
echo
''Jg!J!hjwf!zpv!bo!bqqmf!boe!zpv!hjwf!nf!bo!bqqmf-!uifo!xf!xjmm!ibwf!bo!bqqmf!fbdi/!Cvu!jg!J!hjwf!zpv!bo!jefb!boe!zpv!hjwf!nf!bo!jefb-!xf!xjmm!ibwf!uxp!jefbt!fbdi!''
| perl -pe ''s/(.)/chr(ord($1)-1)/ge''
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
http://massimo.mongardini.it
http://www.getthefacts.it
http://www.mongardini.it/pizza-howto
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, Jul 8, 2008 at 5:44 PM, Massimo Mongardini <
massimo.mongardini@gmail.com> wrote:
> Robert,
>   I banged my head on this as well once, but having changed direction on
> the network design I am not 100% sure of the solution/workaround.
> If I am not wrong you could try and assign an IP address to the xenbr0
> interface and handle DNAT from the bridge or use a lower level filtering
> like ebtables or iptables physdev module.
> I''ll have a dig on my notes and let you know if I find something
more
> accurate.
> cheers
> Massimo
>
>
> Robert M. Münch wrote:
>
>> Hi all, since several days I try to get NAT networking to work, which
is
>> driving my nuts... I don''t know what to do anymore. Maybe some
expert have a
>> good tip for me. I have ready almost anything about this topic and
tested
>> most stuff, but still no luck.
>>
>> I want to run a web-server on a DomU. Hence I used the normal NAT setup
>> from xen.
>>
>> Current setup & situation
>>
>> 1. DomO can access the internet
>> 2. Dom0 can access the DomU
>> 3. DomU (10.0.0.1) can access the internet
>> 4. DomU can access Dom0
>>
>> What''s not working is that I can''t reach the
web-server running on DomU.
>>
>> IFCONFIG Output
>>
>> eth0      Link encap:Ethernet  HWaddr 00:11:6b:94:d8:ea
>>          inet addr:87.118.120.16  Bcast:87.118.120.255  Mask:
>> 255.255.255.0
>>          inet6 addr: fe80::211:6bff:fe94:d8ea/64 Scope:Link
>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>          RX packets:60115200 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:188967 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:1572915748 (1.4 GB)  TX bytes:21158242 (20.1 MB)
>>
>> lo        Link encap:Local Loopback
>>          inet addr:127.0.0.1  Mask:255.0.0.0
>>          inet6 addr: ::1/128 Scope:Host
>>          UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:700 (700.0 B)  TX bytes:700 (700.0 B)
>>
>> peth0     Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>>          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>>          RX packets:69824162 errors:7 dropped:41 overruns:2 frame:0
>>          TX packets:190910 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:1000
>>          RX bytes:611060332 (582.7 MB)  TX bytes:21628510 (20.6 MB)
>>          Interrupt:21 Base address:0xc00
>>
>> vif0.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>>          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>>          RX packets:188967 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:60115201 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:21158242 (20.1 MB)  TX bytes:1572915818 (1.4 GB)
>>
>> vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>>          inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
>>          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
>>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>          RX packets:684 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:694 errors:0 dropped:3 overruns:0 carrier:0
>>          collisions:0 txqueuelen:32
>>          RX bytes:43145 (42.1 KB)  TX bytes:131433 (128.3 KB)
>>
>> xenbr0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
>>          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
>>          RX packets:7385822 errors:0 dropped:0 overruns:0 frame:0
>>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>          collisions:0 txqueuelen:0
>>          RX bytes:460560761 (439.2 MB)  TX bytes:0 (0.0 B)
>>
>>
>> BRCTL Output
>>
>> bridge name     bridge id               STP enabled     interfaces
>> xenbr0          8000.feffffffffff       no              vif0.0
>>                                                        peth0
>>
>>
>> IPTABLES -L -t nat Output
>>
>> Chain PREROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> DNAT       tcp  --  anywhere             eisxen              tcp
dpt:www
>> to:10.0.0.1:80
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target     prot opt source               destination
>> MASQUERADE  all  --  anywhere             anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Here I want to forward all traffic coming in for the external IP
address
>> (eisxen) to 10.0.0.1:10
>>
>>
>> IPTABLES -L Output
>>
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     tcp  --  anywhere             10.0.0.1            tcp
dpt:www
>> ACCEPT     all  --  10.0.0.1             anywhere            PHYSDEV
>> match --physdev-in vif2.0
>> ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match
>> --physdev-in vif2.0 udp spt:bootpc dpt:bootps
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Here the idea is that everything going to 10.0.0.1:80 is accepted.
>>
>>
>> ROUTE -n Output
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> 10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0
>> vif2.0
>> 87.118.120.0    0.0.0.0         255.255.255.0   U     0      0        0
>> eth0
>> 0.0.0.0         87.118.120.1    0.0.0.0         UG    100    0        0
>> eth0
>>
>>
>> I can see HTTP request packets coming to my server.
>>
>> tcpdump -i peth0 host 87.118.120.16 and port 80
>>
>> tcpdump: WARNING: peth0: no IPv4 address assigned
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
>> listening on peth0, link-type EN10MB (Ethernet), capture size 68 bytes
>> 21:02:08.669661 IP i59F4B4BF.versanet.de.37269 > eisxen.www: S
>> 3736050736:3736050736(0) win 64000 <mss 1402,nop,wscale
>> 0,nop,nop,timestamp[|tcp]>
>>
>>
>> But than nothing happens. Everything hangs. Nothing is forwarded/routed
to
>> 10.0.0.1:80
>>
>> I hope anyone can tell me what the problem is or what I should try to
get
>> it to work.
>>
>> Thanks a lot.
>>
>>
>
> --
> Massimo Mongardini
>
>
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
> echo
>
''Jg!J!hjwf!zpv!bo!bqqmf!boe!zpv!hjwf!nf!bo!bqqmf-!uifo!xf!xjmm!ibwf!bo!bqqmf!fbdi/!Cvu!jg!J!hjwf!zpv!bo!jefb!boe!zpv!hjwf!nf!bo!jefb-!xf!xjmm!ibwf!uxp!jefbt!fbdi!''
> | perl -pe ''s/(.)/chr(ord($1)-1)/ge''
>
>
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
> http://massimo.mongardini.it
> http://www.getthefacts.it
> http://www.mongardini.it/pizza-howto
>
>
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>
The easiest way to do IP masquerade is with shorewall.  Try the two
interface configuration with one interface the external and the other the
internal/bridged interface.

Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, 08 Jul 2008 23:44:58 +0200, Massimo Mongardini  
<massimo.mongardini@gmail.com> wrote:
>     I banged my head on this as well once,
Hi Massimo, good to hear that I''m not the only one... it
doesn''t solve my
problem but I know feel better ;-)
> but having changed direction on the network design I am not 100% sure of  
> the solution/workaround.
But yuu got it running, right?
> If I am not wrong you could try and assign an IP address to the xenbr0  
> interface and handle DNAT from the bridge or use a lower level filtering  
> like ebtables or iptables physdev module.
> I''ll have a dig on my notes and let you know if I find something
more
> accurate.
Great! I''m looking forward to see your solution. I read about ebtables
but
haven''t used it.

Thanks a lot.

-- 
Robert M. Münch
http://www.robertmuench.de

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, 09 Jul 2008 04:34:01 +0200, Christopher Isip <cmisip@gmail.com>  
wrote:
> The easiest way to do IP masquerade is with shorewall.  Try the two
> interface configuration with one interface the external and the other the
> internal/bridged interface.
Hi Chris, I took a look into shorewall. I followed the information to  
setup a simple Xen system. But it doesn''t work. I can''t
connect to the
web-server. I always get a "conneciton refused".

Here is some output from the logging and TCPDUMP:


HTTP from DMZ/10.0.0.1 (wget www.robertmuench.de)
Jul  9 16:16:29 FORWARD:REJECT:IN=vif3.0 OUT=eth0 SRC=10.0.0.1  
DST=87.118.120.128 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=56283 DF PROTO=UDP  
SPT=32768 DPT=53 LEN=45

Here I tracked a wget 87.118.120.16 So the requests comes in but is  
immediatly answered with something that rejects/refuses the connection to  
be established. Error message on the requester: connection refused.


root@eisxen:~/shorewall-config# tcpdump -i eth0 host 62.141.54.100 and  
port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
16:42:23.415056 IP ns.km1428.keymachine.de.54159 > eisxen.www: S  
2049446876:2049446876(0) win 5840 <mss 1460,sackOK,timestamp  
2303776659[|tcp]>
16:42:23.416084 IP eisxen.www > ns.km1428.keymachine.de.54159: R 0:0(0)  
ack 2049446877 win 0


In which mode do I need to run XEN, bridged, routed, nat? I have tried  
birdged and nat. Same effect, doesn''t work.

Best regards.

-- 
Robert M. Münch
http://www.robertmuench.de

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Jul 9, 2008 at 2:08 PM, Robert M. Münch <
robert.muench@robertmuench.de> wrote:
> On Wed, 09 Jul 2008 04:34:01 +0200, Christopher Isip
<cmisip@gmail.com>
> wrote:
>
>  The easiest way to do IP masquerade is with shorewall.  Try the two
>> interface configuration with one interface the external and the other
the
>> internal/bridged interface.
>>
>
> Hi Chris, I took a look into shorewall. I followed the information to setup
> a simple Xen system. But it doesn''t work. I can''t connect
to the web-server.
> I always get a "conneciton refused".
>
> Here is some output from the logging and TCPDUMP:
>
>
> HTTP from DMZ/10.0.0.1 (wget www.robertmuench.de)
> Jul  9 16:16:29 FORWARD:REJECT:IN=vif3.0 OUT=eth0 SRC=10.0.0.1 DST>
87.118.120.128 LEN=65 TOS=0x00 PREC=0x00 TTL=63 ID=56283 DF PROTO=UDP
> SPT=32768 DPT=53 LEN=45
>
> Here I tracked a wget 87.118.120.16 So the requests comes in but is
> immediatly answered with something that rejects/refuses the connection to
be
> established. Error message on the requester: connection refused.
>
>
> root@eisxen:~/shorewall-config# tcpdump -i eth0 host 62.141.54.100 and
> port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
> 16:42:23.415056 IP ns.km1428.keymachine.de.54159 > eisxen.www: S
> 2049446876:2049446876(0) win 5840 <mss 1460,sackOK,timestamp
> 2303776659[|tcp]>
> 16:42:23.416084 IP eisxen.www > ns.km1428.keymachine.de.54159: R 0:0(0)
ack
> 2049446877 win 0
>
>
> In which mode do I need to run XEN, bridged, routed, nat? I have tried
> birdged and nat. Same effect, doesn''t work.
>
> Best regards.
>
> --
> Robert M. Münch
> http://www.robertmuench.de
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

Can you access the webserver from within the xen domU?  You can try lynx
maybe to see if it would even load.  Also try clearing the firewall between
the domU with the web server, dom0  and wherever you are trying to access it
from.  What distro is your domU?

 Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Tue, 08 Jul 2008 21:05:05 +0200, Robert M. Münch  
<robert.muench@robertmuench.de> wrote:
> Hi all, since several days I try to get NAT networking to work, which is  
> driving my nuts... I don''t know what to do anymore. Maybe some
expert
> have a good tip for me. I have ready almost anything about this topic  
> and tested most stuff, but still no luck.
>
> I want to run a web-server on a DomU. Hence I used the normal NAT setup  
>  from xen.
>
> Current setup & situation
>
> 1. DomO can access the internet
> 2. Dom0 can access the DomU
> 3. DomU (10.0.0.1) can access the internet
> 4. DomU can access Dom0
>
> What''s not working is that I can''t reach the web-server
running on DomU.
Hi, answering to my own posting, I have found out something I think is the  
source of the problem:
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             eisxen              tcp dpt:www  
> to:10.0.0.1:80
This rule should rewrite the incoming TCP packet with a new internal IP,  
so that the normal routing than routes it to the VM running the web-server.

But TCPDUMP shows that the packet goes into PREROUTING and than into  
FORWARD:

PREROUTING ENTER: IN=xenbr0 OUT= PHYSIN=peth0  
MAC=00:11:6b:94:d8:ea:00:18:74:84:8c:00:08:00 SRC=153.57.18.221  
DST=87.118.120.16 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=54899 DF PROTO=TCP  
SPT=63149 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

FORWARD ENTER: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0 PHYSOUT=vif0.0  
SRC=153.57.18.221 DST=87.118.120.16 LEN=40 TOS=0x00 PREC=0x00 TTL=57  
ID=54898 DF PROTO=TCP SPT=37545 DPT=80 WINDOW=64240 RES=0x00 RST URGP=0

And DST=87.118.120.16 is my external static IP. I expected here  
DST=10.0.0.1

Than I have this error message: Performing cross-bridge DNAT requires IP  
forwarding to be enabled

I have searched for this but didn''t found anything useful. Routing is  
enabled but I still think there are some problems. I''m not sure if this
is
the source of the problem that the IP isn''t rewritten.

Is this a known problem? Does anyone know a solution to this?

-- 
Robert M. Münch
http://www.robertmuench.de

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, 09 Jul 2008 21:41:31 +0200, Christopher Isip <cmisip@gmail.com>  
wrote:
> Can you access the webserver from within the xen domU?
Hi, the web-server is running in the DomU. From Dom0 I can access it.
> Also try clearing the firewall between
> the domU with the web server, dom0  and wherever you are trying to  
> access it from.
Well, with Dom0 and DomU I can do all I want. The only thing not working  
is to access the DomU web-server from the internet.
> What distro is your domU?
Debian 4

Robert

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I don''t know if this will help, as I''m a bit rusty, but try
it:
echo 1 > /proc/sys/net/ipv4/ip_forward
I think 1 is enabled and 0 is disabled, but if I was wrong, then it would be
echo 0 above.  To check before changing it, try this:
cat /proc/sys/net/ipv4/ip_forward
The first provided command should be changing this number (if it''s 0,
use 1
& if it''s 1, use 0).  If this is actually enabled already, then
changing it
might make bridging stop working, so due diligence (research) might be in
order before following this wild guess advice.  Also, there is a way to
change this setting more permanently via a config file, but I don''t
remember
what it is.

-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Robert M. Münch
Sent: Thursday, July 10, 2008 17:01
To: xen-users@lists.xensource.com
Subject: Re: [Xen-users] NET Network / Server running on internal Network
not reachable

On Tue, 08 Jul 2008 21:05:05 +0200, Robert M. Münch  
<robert.muench@robertmuench.de> wrote:
> Hi all, since several days I try to get NAT networking to work, which is  
> driving my nuts... I don''t know what to do anymore. Maybe some
expert
> have a good tip for me. I have ready almost anything about this topic  
> and tested most stuff, but still no luck.
>
> I want to run a web-server on a DomU. Hence I used the normal NAT setup  
>  from xen.
>
> Current setup & situation
>
> 1. DomO can access the internet
> 2. Dom0 can access the DomU
> 3. DomU (10.0.0.1) can access the internet
> 4. DomU can access Dom0
>
> What''s not working is that I can''t reach the web-server
running on DomU.
Hi, answering to my own posting, I have found out something I think is the  
source of the problem:
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> DNAT       tcp  --  anywhere             eisxen              tcp dpt:www  
> to:10.0.0.1:80
This rule should rewrite the incoming TCP packet with a new internal IP,  
so that the normal routing than routes it to the VM running the web-server.

But TCPDUMP shows that the packet goes into PREROUTING and than into  
FORWARD:

PREROUTING ENTER: IN=xenbr0 OUT= PHYSIN=peth0  
MAC=00:11:6b:94:d8:ea:00:18:74:84:8c:00:08:00 SRC=153.57.18.221  
DST=87.118.120.16 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=54899 DF PROTO=TCP  
SPT=63149 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

FORWARD ENTER: IN=xenbr0 OUT=xenbr0 PHYSIN=peth0 PHYSOUT=vif0.0  
SRC=153.57.18.221 DST=87.118.120.16 LEN=40 TOS=0x00 PREC=0x00 TTL=57  
ID=54898 DF PROTO=TCP SPT=37545 DPT=80 WINDOW=64240 RES=0x00 RST URGP=0

And DST=87.118.120.16 is my external static IP. I expected here  
DST=10.0.0.1

Than I have this error message: Performing cross-bridge DNAT requires IP  
forwarding to be enabled

I have searched for this but didn''t found anything useful. Routing is  
enabled but I still think there are some problems. I''m not sure if this
is
the source of the problem that the IP isn''t rewritten.

Is this a known problem? Does anyone know a solution to this?

-- 
Robert M. Münch
http://www.robertmuench.de

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I am going to try to see If I can create a domU webserver.  I need it to
host anyterm.  There might be some xen peculiarities at work here that I am
not aware of.  If I get a working configuration, I can post it here.  First
I will post a question to the list regarding security of dmz domUs in
bridged interfaces.

Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sat, Jul 12, 2008 at 11:42 PM, Christopher Isip <cmisip@gmail.com>
wrote:
> I am going to try to see If I can create a domU webserver.  I need it to
> host anyterm.  There might be some xen peculiarities at work here that I am
> not aware of.  If I get a working configuration, I can post it here.  First
> I will post a question to the list regarding security of dmz domUs in
> bridged interfaces.
>
> Chris
>
>
I managed to get a couple of dmz webservers running in xen domUs.  I got it
done without the use of iptables or ebtables.  I used shorewall.  Its
nowhere as complicated as the shorewall howtos on the net, although I am not
sure how secure the setup would be.  I have another thread in the list
addressing this.  My configuration is dom0 with two physical nics.  One is
pcibacked to an Asterisk/DNS/IPMasq/Firewall/DHCPServer domU.  The other
(peth0) is bridged to bridge eth0.  My local domUs in this machine are
connected to the eth0 bridge. The dmz domUs are connected to a bridge with
no physical interface enslaved to it (xenbrD).   The Asterisk domU has three
interfaces then: eth0 - pcibacked nic (external to the internet), eth1 - the
vif interface to the bridged nic (connection to local lan) and eth2 - the
vif interface connected to the dmz bridge (connection to the dmz domUs).
If you want to try this configuration, let me know and I can post the
details.  I used to have dom0 firewall routing but I dont have that setup
anymore although I have some ideas on how it might(?)  work.

Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users