[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] can't get NAT to a VM on domU working


  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: "Roberto Saccon" <rsaccon@xxxxxxxxx>
  • Date: Fri, 28 Apr 2006 16:02:09 -0300
  • Delivery-date: Fri, 28 Apr 2006 12:02:49 -0700
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=W3TUdCsBHDIYAmTq3qvLzztO57/bQOQ2mxnDsHcKvTf5dBXrQo62JqVwCGhLS/ISNcf4qMXrb3M37jSuvD5q5ttvjHT8rxocxauw/nGk581amHtgGd8gM9TX8isXE4VQH+ATORYeetuq4laj1e5ZfwdjtcJ9dOyXXDkEWv/9lVs=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

SOLVED

I also had corrupt tcp checksum.  "ethtool -K eth0 tx off" did the trick (currently mentioned in various other threads)

On 4/23/06, Hardy Wolf <hardy@xxxxxxxxxxxxxxxx> wrote:
The XEN-Script I am using. But only to switch to nat.
I did only overwrite the firewall rules. It works without them. But security isn't the important thing in my configuration, because in my dom0 won't run any services.
 
Greets,
Hardy
----- Original Message -----
Sent: Saturday, April 22, 2006 8:51 PM
Subject: Re: [Xen-users] can't get NAT to a VM on domU working

Thanks Hardy, I will give your scritpt a try. However I have one question: Did you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all or did you just overwrite their firewall rules ?

regards
Roberto


On 4/22/06, Hardy Wolf < hardy@xxxxxxxxxxxxxxxx> wrote:
Hi,
 
I am using nat in XEN 3.0.1 and it works.
I have one dom0 and one domU, but I think it will work for more domUs, too.
 
I have a iptables-script, that runs on every bootup:
 
 
========== SNIP ==========
#!/bin/bash
ipt=/sbin/iptables
 
 
$ipt -F -t nat
$ipt -F
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
 
echo "1" > /proc/sys/net/ipv4/ip_forward
 
# SSH
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3
# FTP
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3
# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3
 
$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
========== SNAP ==========
 
That's it.
 
If you want to change the destination port (i.e. --to 10.0.0.3:22), I think it will work, too.
 
Important are the lines
 -> echo "1" ...
ans
 -> ... MASQUERADE
 
So any network traffic to outside is possible and inbound traffic for the specified ports.
 
This script has a further function: The lines beginning with "$ipt -F" will first delete all existing rules and then overwrite with the new ones. So you can upgrade your script with a further rule (or delete a rule) and run it without any connection loss.



--
Roberto Saccon

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users




--
Roberto Saccon
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.