Re: [Xen-users] can't get NAT to a VM on domU working

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	Re: [Xen-users] can't get NAT to a VM on domU working
From:	"Roberto Saccon" <rsaccon@xxxxxxxxx>
Date:	Fri, 28 Apr 2006 16:02:09 -0300
Delivery-date:	Fri, 28 Apr 2006 12:02:49 -0700
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=W3TUdCsBHDIYAmTq3qvLzztO57/bQOQ2mxnDsHcKvTf5dBXrQo62JqVwCGhLS/ISNcf4qMXrb3M37jSuvD5q5ttvjHT8rxocxauw/nGk581amHtgGd8gM9TX8isXE4VQH+ATORYeetuq4laj1e5ZfwdjtcJ9dOyXXDkEWv/9lVs=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
In-reply-to:	<001b01c666ca$ca48e680$caa8a8c0@Michael>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<eb4177b00604211822ye3d92f2j60ca15f3135bae06@xxxxxxxxxxxxxx> <003b01c66605$289e7220$caa8a8c0@Michael> <eb4177b00604221151k1e69e400v5b59ee7fadf61bb3@xxxxxxxxxxxxxx> <001b01c666ca$ca48e680$caa8a8c0@Michael>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

SOLVED

I also had corrupt tcp checksum. "ethtool -K eth0 tx off" did the trick (currently mentioned in various other threads)

On 4/23/06, Hardy Wolf <hardy@xxxxxxxxxxxxxxxx> wrote:

The XEN-Script I am using. But only to switch to nat.

I did only overwrite the firewall rules. It works without them. But security isn't the important thing in my configuration, because in my dom0 won't run any services.

Greets,

Hardy

----- Original Message -----

From: Roberto Saccon

To: Hardy Wolf

Sent: Saturday, April 22, 2006 8:51 PM

Subject: Re: [Xen-users] can't get NAT to a VM on domU working

Thanks Hardy, I will give your scritpt a try. However I have one question: Did you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all or did you just overwrite their firewall rules ?

regards
Roberto

On 4/22/06, Hardy Wolf < hardy@xxxxxxxxxxxxxxxx> wrote:

Hi,

I am using nat in XEN 3.0.1 and it works.

I have one dom0 and one domU, but I think it will work for more domUs, too.

I have a iptables-script, that runs on every bootup:

========== SNIP ==========

#!/bin/bash
ipt=/sbin/iptables

extip=72.232.68.66

$ipt -F -t nat
$ipt -F
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

# SSH

$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3

# FTP
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3

# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3

$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

========== SNAP ==========

That's it.

If you want to change the destination port (i.e. --to 10.0.0.3:22), I think it will work, too.

Important are the lines

-> echo "1" ...

ans

-> ... MASQUERADE

So any network traffic to outside is possible and inbound traffic for the specified ports.

This script has a further function: The lines beginning with "$ipt -F" will first delete all existing rules and then overwrite with the new ones. So you can upgrade your script with a further rule (or delete a rule) and run it without any connection loss.

--
Roberto Saccon

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
Roberto Saccon

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users