Xen users - Aug 2011 - Xen 4 + Debian Squeeze + one VM in route mode and another in nat mode

Hello,

I''ve installed on a debian squeeze server, xen 4 with one VM which run
in route mode configuration with an IP failover.

I wanted to create another VM which turn in nat mode, so I make that :

- I let my xend-config.sxp with :

(network-script ''network-route netdev=eth0'')
(vif-script     vif-route)

because my first VM is the most important....

For the second, I put that in cfg file :

vif         = [ ''ip=192.168.1.2,mac=00:16:3E:xxxx:xx, script=vif-nat,
vifname=\
vif-debianTest'' ]

I modify a little  vif-nat :

routing_ip()
{
  #echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."$4 + 127}'')
  echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."254}'')
}

to have always a static ip as gateway for VM2 (to configure it after in
its interfaces file)

I can ping VM2 from dom0, ping dom0 from VM2, have internet from VM2,
but impossible to make a mapping port between dom0 and domU....

I''d like for example redirect the port 2222 of my dom0 to the port 22
of
VM2 :

I put those rules for iptables for VM2 :

#!/bin/bash

# Reset des tables
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X

# Bloquer tout le trafic
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -p icmp -j ACCEPT

iptables -A FORWARD -i vif-debianTest -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to
192.168.\
1.2:22

#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-\
out vif-debianTest -j ACCEPT
#iptables -A FORWARD -p udp -m physdev --physdev-in vif-debianTest -m
udp --spo\
rt 68 --dport 67 -j ACCEPT
#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-\
out vif-debianTest -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --to-source
my_public_ip

The rules with # was uncommented for testing. but it changes nothing...

# tcpdump -i eth0 tcp port 2222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:54:02.662761 IP lev92-4-88-164-133-124.fbx.proxad.net.21384 >
sd-xxxx.dedibox.fr.2222: Flags [S], seq 2030026446, win 65535, options
[mss 1460,nop,nop,sackOK], length 0
19:54:05.681658 IP lev92-4-88-164-133-124.fbx.proxad.net.21384 >
sd-xxxx.dedibox.fr.2222: Flags [S], seq 2030026446, win 65535, options
[mss 1460,nop,nop,sackOK], length 0
...

It seems tha nothing is forwarded from eth0 to vif-debianTest

But :

# cat /proc/sys/net/ipv4/ip_forward
1

# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1

# cat /proc/sys/net/ipv4/conf/all/forwarding
1

# ifconfig vif-debianTest

vif-debianTest Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
          inet adr:192.168.1.254  Bcast:0.0.0.0  Masque:255.255.255.255
          adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 lg file transmission:32
          RX bytes:196 (196.0 B)  TX bytes:160 (160.0 B)

I test with a laptop at home and it seems to work if I use network-nat
and vif-nat directly at xend-config.sxp, but I don''t understand why it
doesnt work with this configuration :-(

Thanks.




_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Wed, Aug 3, 2011 at 1:55 PM, Thierry B <xen-users@tbzone.org>
wrote:
> Hello,
>
> I''ve installed on a debian squeeze server, xen 4 with one VM which
run
> in route mode configuration with an IP failover.
>
> I wanted to create another VM which turn in nat mode, so I make that :
>
> - I let my xend-config.sxp with :
>
> (network-script ''network-route netdev=eth0'')
> (vif-script     vif-route)
>
> because my first VM is the most important....
>
> For the second, I put that in cfg file :
>
> vif         = [ ''ip=192.168.1.2,mac=00:16:3E:xxxx:xx,
script=vif-nat,
> vifname=\
> vif-debianTest'' ]
>
Are you able to confirm that Xen is making use of these scripts?

For example, adding a set -x to the scripts and booting the guest to
make sure the scripts are being called. And/or manually checking that
the iptables rules are being put into place correctly

Another approach is described in this thread:
http://xen.markmail.org/search/?q=nat+networking#query:nat%20networking+page:1+mid:fksxauxxxqxotgz4+state:results

Which links to:
http://www.andrewsorensen.net/blog/post/nat-networking-in-debian-squeeze

Thanks,
Todd

-- 
Todd Deshane
http://www.linkedin.com/in/deshantm
http://www.xen.org/products/cloudxen.html
http://runningxen.com/

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Le 04/08/2011 06:31, Todd Deshane a écrit :
> Are you able to confirm that Xen is making use of these scripts? For
> example, adding a set -x to the scripts and booting the guest to make
> sure the scripts are being called. And/or manually checking that the
> iptables rules are being put into place correctly Another approach is
> described in this thread:
>
http://xen.markmail.org/search/?q=nat+networking#query:nat%20networking+page:1+mid:fksxauxxxqxotgz4+state:results
> Which links to:
> http://www.andrewsorensen.net/blog/post/nat-networking-in-debian-squeeze
> Thanks, Todd 
Yes I''m able to confirm that because it''s vif-nat which give
the static
ip 192.168.1.254 to vif-debianTest by modifiing that :

routing_ip()
{
  #echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."$4 + 127}'')
  echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."254}'')
}

I use a dedibox, and bridge mode is not authorized...I can only route
with an ip failover that I have to buy or nat, and I''d like to have one
VM which use an ip failover and other one NAT.

Thanks.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Le 06/08/2011 11:45, Thierry B a écrit :
> Le 04/08/2011 06:31, Todd Deshane a écrit :
>> Are you able to confirm that Xen is making use of these scripts? For
>> example, adding a set -x to the scripts and booting the guest to make
>> sure the scripts are being called. And/or manually checking that the
>> iptables rules are being put into place correctly Another approach is
>> described in this thread:
>>
http://xen.markmail.org/search/?q=nat+networking#query:nat%20networking+page:1+mid:fksxauxxxqxotgz4+state:results
>> Which links to:
>>
http://www.andrewsorensen.net/blog/post/nat-networking-in-debian-squeeze
>> Thanks, Todd 
> Yes I''m able to confirm that because it''s vif-nat which
give the static
> ip 192.168.1.254 to vif-debianTest by modifiing that :
>
> routing_ip()
> {
>   #echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."$4 + 127}'')
>   echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."254}'')
> }
>
> I use a dedibox, and bridge mode is not authorized...I can only route
> with an ip failover that I have to buy or nat, and I''d like to
have one
> VM which use an ip failover and other one NAT.
>
> Thanks.
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
Hello,

This is my complete rules :

# iptables -L -v | more

Chain INPUT (policy DROP 860 packets, 95727 bytes)
 pkts bytes target     prot opt in     out     source               destination

   18  2185 ACCEPT     all  --  lo     any     anywhere             anywhere

    8   792 ACCEPT     icmp --  any    any     anywhere             anywhere

 1065 83852 ACCEPT     tcp  --  eth0   any     lev92-4-88-164-133-124.fbx.proxad
.net  anywhere            tcp dpt:ssh
    5   544 ACCEPT     all  --  eth0   any     anywhere             anywhere
        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  vif2.0 any     anywhere             anywhere

    0     0 ACCEPT     all  --  vif-debianTest any     anywhere             anyw
here

Chain FORWARD (policy DROP 11 packets, 528 bytes)
 pkts bytes target     prot opt in     out     source               destination

 1517  322K ACCEPT     all  --  eth0   any     anywhere             anywhere
        state RELATED,ESTABLISHED
   10   496 ACCEPT     all  --  eth0   any     anywhere             88-190-238-1
64.rev.dedibox.fr
 1605  143K ACCEPT     all  --  vif2.0 any     anywhere             anywhere

    0     0 ACCEPT     all  --  vif-xenwinxp any     anywhere             anywhe
re
    0     0 ACCEPT     all  --  vif-debianTest any     anywhere             anyw
here
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere
        state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif-debianTest
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere
        PHYSDEV match --physdev-in vif-debianTest udp spt:bootpc dpt:bootps
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere
        state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif-debianTest
    0     0 ACCEPT     all  --  any    any     xenDebianTest        anywhere
        PHYSDEV match --physdev-in vif-debianTest


Chain OUTPUT (policy ACCEPT 886 packets, 129K bytes)
 pkts bytes target     prot opt in     out     source               destination

   24  2946 ACCEPT     all  --  any    lo      anywhere             anywhere


# iptables -L -t nat -v | more
Chain PREROUTING (policy ACCEPT 1265 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination

   11   528 DNAT       tcp  --  eth0   any     anywhere             anywhere
        tcp dpt:2222 to:192.168.1.2:22

Chain POSTROUTING (policy ACCEPT 27 packets, 1850 bytes)
 pkts bytes target     prot opt in     out     source               destination

  110  7826 SNAT       all  --  any    eth0    88-190-238-164.rev.dedibox.fr  an
ywhere            to:88.190.238.164
    0     0 SNAT       all  --  any    any     192.168.0.2          anywhere
        to:88.190.15.135
    0     0 SNAT       all  --  any    any     xenDebianTest        anywhere
        to:88.190.15.135

Chain OUTPUT (policy ACCEPT 21 packets, 1538 bytes)
 pkts bytes target     prot opt in     out     source               destination


Thanks :-)



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Le 07/08/2011 11:12, Thierry B a écrit :
> Le 06/08/2011 11:45, Thierry B a écrit :
>> Le 04/08/2011 06:31, Todd Deshane a écrit :
>>> Are you able to confirm that Xen is making use of these scripts?
For
>>> example, adding a set -x to the scripts and booting the guest to
make
>>> sure the scripts are being called. And/or manually checking that
the
>>> iptables rules are being put into place correctly Another approach
is
>>> described in this thread:
>>>
http://xen.markmail.org/search/?q=nat+networking#query:nat%20networking+page:1+mid:fksxauxxxqxotgz4+state:results
>>> Which links to:
>>>
http://www.andrewsorensen.net/blog/post/nat-networking-in-debian-squeeze
>>> Thanks, Todd 
>> Yes I''m able to confirm that because it''s vif-nat
which give the static
>> ip 192.168.1.254 to vif-debianTest by modifiing that :
>>
>> routing_ip()
>> {
>>   #echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."$4 + 127}'')
>>   echo $(echo $1 | awk -F. ''{print
$1"."$2"."$3"."254}'')
>> }
>>
>> I use a dedibox, and bridge mode is not authorized...I can only route
>> with an ip failover that I have to buy or nat, and I''d like to
have one
>> VM which use an ip failover and other one NAT.
>>
>> Thanks.
>>
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users@lists.xensource.com
>> http://lists.xensource.com/xen-users
> Hello,
>
> This is my complete rules :
>
> # iptables -L -v | more
>
> Chain INPUT (policy DROP 860 packets, 95727 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>    18  2185 ACCEPT     all  --  lo     any     anywhere            
anywhere
>
>     8   792 ACCEPT     icmp --  any    any     anywhere            
anywhere
>
>  1065 83852 ACCEPT     tcp  --  eth0   any    
lev92-4-88-164-133-124.fbx.proxad
> .net  anywhere            tcp dpt:ssh
>     5   544 ACCEPT     all  --  eth0   any     anywhere            
anywhere
>         state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  vif2.0 any     anywhere            
anywhere
>
>     0     0 ACCEPT     all  --  vif-debianTest any     anywhere            
anyw
> here
>
> Chain FORWARD (policy DROP 11 packets, 528 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>  1517  322K ACCEPT     all  --  eth0   any     anywhere            
anywhere
>         state RELATED,ESTABLISHED
>    10   496 ACCEPT     all  --  eth0   any     anywhere            
88-190-238-1
> 64.rev.dedibox.fr
>  1605  143K ACCEPT     all  --  vif2.0 any     anywhere            
anywhere
>
>     0     0 ACCEPT     all  --  vif-xenwinxp any     anywhere            
anywhe
> re
>     0     0 ACCEPT     all  --  vif-debianTest any     anywhere            
anyw
> here
>     0     0 ACCEPT     all  --  any    any     anywhere            
anywhere
>         state RELATED,ESTABLISHED PHYSDEV match --physdev-out
vif-debianTest
>     0     0 ACCEPT     udp  --  any    any     anywhere            
anywhere
>         PHYSDEV match --physdev-in vif-debianTest udp spt:bootpc dpt:bootps
>     0     0 ACCEPT     all  --  any    any     anywhere            
anywhere
>         state RELATED,ESTABLISHED PHYSDEV match --physdev-out
vif-debianTest
>     0     0 ACCEPT     all  --  any    any     xenDebianTest       
anywhere
>         PHYSDEV match --physdev-in vif-debianTest
>
>
> Chain OUTPUT (policy ACCEPT 886 packets, 129K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>    24  2946 ACCEPT     all  --  any    lo      anywhere            
anywhere
>
>
> # iptables -L -t nat -v | more
> Chain PREROUTING (policy ACCEPT 1265 packets, 132K bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>    11   528 DNAT       tcp  --  eth0   any     anywhere            
anywhere
>         tcp dpt:2222 to:192.168.1.2:22
>
> Chain POSTROUTING (policy ACCEPT 27 packets, 1850 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>   110  7826 SNAT       all  --  any    eth0   
88-190-238-164.rev.dedibox.fr  an
> ywhere            to:88.190.238.164
>     0     0 SNAT       all  --  any    any     192.168.0.2         
anywhere
>         to:88.190.15.135
>     0     0 SNAT       all  --  any    any     xenDebianTest       
anywhere
>         to:88.190.15.135
>
> Chain OUTPUT (policy ACCEPT 21 packets, 1538 bytes)
>  pkts bytes target     prot opt in     out     source              
destination
>
>
> Thanks :-)
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
Hello,

I found.

I used my FORWARD rules not on the vif interface but on the ip and it works!

iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.2 --dport
22 -j ACCEPT

Thanks :-)


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users