[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] can't get NAT to a VM on domU working



The XEN-Script I am using. But only to switch to nat.
I did only overwrite the firewall rules. It works without them. But security isn't the important thing in my configuration, because in my dom0 won't run any services.
 
Greets,
Hardy
----- Original Message -----
Sent: Saturday, April 22, 2006 8:51 PM
Subject: Re: [Xen-users] can't get NAT to a VM on domU working

Thanks Hardy, I will give your scritpt a try. However I have one question: Did you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all or did you just overwrite their firewall rules ?

regards
Roberto


On 4/22/06, Hardy Wolf < hardy@xxxxxxxxxxxxxxxx> wrote:
Hi,
 
I am using nat in XEN 3.0.1 and it works.
I have one dom0 and one domU, but I think it will work for more domUs, too.
 
I have a iptables-script, that runs on every bootup:
 
 
========== SNIP ==========
#!/bin/bash
ipt=/sbin/iptables
 
 
$ipt -F -t nat
$ipt -F
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
 
echo "1" > /proc/sys/net/ipv4/ip_forward
 
# SSH
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3
# FTP
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3
# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3
 
$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
========== SNAP ==========
 
That's it.
 
If you want to change the destination port (i.e. --to 10.0.0.3:22), I think it will work, too.
 
Important are the lines
 -> echo "1" ...
ans
 -> ... MASQUERADE
 
So any network traffic to outside is possible and inbound traffic for the specified ports.
 
This script has a further function: The lines beginning with "$ipt -F" will first delete all existing rules and then overwrite with the new ones. So you can upgrade your script with a further rule (or delete a rule) and run it without any connection loss.



--
Roberto Saccon
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.