Nevermind ... I think the problem is with nat chain. I did not realize that iptables -vnL doesn't show everything. I had to do iptables -t nat -vnL and sure enough there's the chain.
root@Dom0:/etc/xen# iptables -t nat -vnL Chain PREROUTING (policy ACCEPT 6 packets, 639 bytes) pkts bytes target prot opt in out source destination 12 720 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.200:80 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.200:80 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.200:80
From: parampat@xxxxxxxxxxx To: xen-users@xxxxxxxxxxxxxxxxxxx Subject: Xen network problem *ONLY* on port 80 Date: Sat, 7 Mar 2009 20:08:24 +0000
Hello,
I have a weird problem. Not sure if it's Xen related or something else. There's only 1 network card on the physical host and on the VMs. At this point, I only have 1 Domu. Here's basically what I have:
Dom0 IP: 10.1.1.2 DomU IP: 10.1.1.110 Gateway: 10.1.1.1 (Netscreen NS 5GT)
From Dom0 and DomU, I can ping all 3 IP addresses above.
On Dom0, I issue command: Dom0: tcpdump -i eth0 portrange 80-81
While tcpdump is running, I issue the following commands:
DomU: nc -l -p 80 Dom0: nc 10.1.1.110 80 Result: Successfully connected. TCPDUMP result: 11:59:01.206489 IP 10.1.1.2.57487 > 10.1.1.110.www: S 2261694820:2261694820(0) win 5840 <mss 1460,sackOK,timestamp 297804 0,nop,wscale 7> 11:59:01.206553 IP 10.1.1.110.www > 10.1.1.2.57487: S 2229686772:2229686772(0) ack 2261694821 win 5792 <mss 1460,sackOK,timestamp 110547 297804,nop,wscale 7> 11:59:01.206578 IP 10.1.1.2.57487 > 10.1.1.110.www: . ack 1 win 46 <nop,nop,timestamp 297804 110547>
Now I tried to do the reverse. Dom0: nc -l -p 80 DomU: nc 10.1.1.2 80 Result: (UNKNOWN) [10.1.1.2] 80 (www) : No route to host TCPDUMP result: 11:59:58.202900 IP 10.1.1.110.51707 > 192.168.1.200.www: S 3119767855:3119767855(0) win 5840 <mss 1460,sackOK,timestamp 124795 0,nop,wscale 7>
Just to make sure, I tried on different port (81): DomU: nc -l -p 81 Dom0: nc 10.1.1.110 81 Result: Successfully connected. TCPDUMP result: 12:00:48.270605 IP 10.1.1.2.40178 > 10.1.1.110.81: S 3957625437:3957625437(0) win 5840 <mss 1460,sackOK,timestamp 324569 0,nop,wscale 7> 12:00:48.270692 IP 10.1.1.110.81 > 10.1.1.2.40178: S 3911571959:3911571959(0) ack 3957625438 win 5792 <mss 1460,sackOK,timestamp 137311 324569,nop,wscale 7> 12:00:48.270721 IP 10.1.1.2.40178 > 10.1.1.110.81: . ack 1 win 46 <nop,nop,timestamp 324569 137311>
And the reverse Dom0: nc -l -p 81 DomU: nc 10.1.1.2 81 Result: Successfully connected. TCPDUMP Result: 12:02:24.527044 IP 10.1.1.110.53560 > 10.1.1.2.81: S 1133939315:1133939315(0) win 5840 <mss 1460,sackOK,timestamp 161374 0,nop,wscale 7> 12:02:24.527078 IP 10.1.1.2.81 > 10.1.1.110.53560: S 1165284839:1165284839(0) ack 1133939316 win 5792 <mss 1460,sackOK,timestamp 348631 161374,nop,wscale 7> 12:02:24.527117 IP 10.1.1.110.53560 > 10.1.1.2.81: . ack 1 win 46 <nop,nop,timestamp 161374 348631>
The question is .... why does connection to port 80 is being forwarded to IP 192.168.2.200? How can I change this so that it goes to 10.1.1.2? I tried many other ports (79, 8080, 22, etc) they are all working as expected. Only port 80 is having this issue.
Help pleaseeeeeeeeee ... or any hints would be highly appreciated.
Thank you very much.
|