[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Strange XEN NAT problem

  • To: xen-users@xxxxxxxxxxxxxxxxxxx
  • From: Philipp Periventas <coin3d@xxxxxxxxx>
  • Date: Wed, 30 Jul 2008 00:19:55 +0200
  • Delivery-date: Wed, 30 Jul 2008 02:12:29 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:content-type:content-transfer-encoding :mime-version:subject:date:x-mailer; b=He5Ep8bkJWWzE8kBvrt4VNDavsIKWOcKZpi+qHWj7D+FaV2BoyiJsQKsDJv3v4SSki gDvqwZfwXElmwbQRsLhmbuQYVg6R2GDL4qa4pLPkKA8pi3JwA3N7FX+ThK/amT8tyZu+ DoAquVm/xwKXXgFKYzy6HFll+XG0CmptwpC0Q=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
Hello there,
I've got a problem regarding my XEN network setup. First of all, I'll just tell you what doesn't work: the access to a forwarded (natted) port (e.g. port 80 http) of a dom (no matter if dom0 or domU) to the servers external ip address (from "inside") does not work (connection refused). Here's the layout of my xen virtual network: 

                           one machine with an external ip
                        |                                                       
        |
                        |                                                       
        |
                    eth0 (85.214.xxx.xxx)                       xenbr0 (bridge 
10.0.0.1)
                                                                                
|                                       |
                                                                                
|                                       |
                                                                        
webserver (10.0.0.2)            mailserver (10.0.0.3)
So the server has one external ip and i want to use two domUs for web and mail behind - therefore I have to use masquerading. While building up this configuration, I was inspired by this tutorial: http://en.opensuse.org/Xen3_and_a_Virtual_Network
To come back to the problem - NAT (masquerading) and port forwarding just works fine. I can connect to the webserver by using http://85.214.113.119 without any problems from HOME. But when I try to connect to http://85.214.113.119 from INSIDE (e.g. from dom0 or the webserver, it doesnt matter), i cannot make a connection (lynx says connection refused). Also a port scan with nmap does not show me the open port 80 from inside (while from outside it does). I messed up with iptables all the time, since I could not figure out why this happens, so I decided just to create a very plain iptables configuration - here is my iptables output: 

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif1.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:10.0.0.2 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Has anyone had a similar problem and maybe solved it?

Thanks in advance


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.