[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] 3.0.2 NAT headaches

John Wells said:
> So, hoping someone might tell me what iptables rules I need to enter to
allow traffic from my domUs (10.0.0.1, 10.0.0.2, etc) to access the
public
> internet. I've done it before for home routing, but Xen has me a little
turned around.

I ran a tcpdump on eth0 on dom0 while pinging an external host from a
domU. I noticed:

14:54:18.376525 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 1
14:54:19.375706 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 2
14:54:20.375782 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 3
14:54:21.375805 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 4
14:54:22.375799 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 5

Which looked like the internal ip wasn't being MASQ'd appropriately. I
then set up the following rule:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The dump changed to:

14:55:02.481531 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1
14:55:03.486494 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 2
14:55:04.486541 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 3
14:55:05.496515 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 4
14:55:06.496574 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 5

But the domU is still not receiving any traffic back.

If I dump on the vif, I get:

port:/etc/xen# tcpdump -i vif8.0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vif8.0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:33.519040 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 152
14:57:34.518987 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 153
14:57:35.519023 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 154
14:57:36.519027 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 155
14:57:37.519054 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 156

I keep seeing this in the syslog:
--
Aug  8 14:55:38 port kernel: Performing cross-bridge DNAT requires IP
forwarding to be enabled
--

Am I still missing something? Does NAT'ing this way only work for
communication between domUs?

Thanks guys.

John


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.