Re: [Xen-users] xen breaks iptables

[Markus Schiltknecht <markus@xxxxxxxxxx>]

Hi,

in the Shorewall Xen FAQ at [1] I'm reading the following:

"I know of no case where a user has successfully used NAT (including 
Masquerade) in a bridged Xen Dom0. So if you want to create a 
masquerading firewall/gateway using Xen, you need to do so in a DomU 
(see how I did it) or you must configure Xen to use routing  or NAT 
rather than the default bridging."
Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I 
configure Xen to not do that and just provide me a tap device I can 
route / bridge however I want, like qemu does?
Regards

Markus

[1]: http://www.shorewall.net/Xen.html

Markus Schiltknecht wrote:
> Hi,
>
> I'm struggling with my iptables configuration since I've installed Xen. 
> Before, I had the host/dom0 doing port forwarding with:
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d $PUBLIC_IP \
>     --dport 80 -j DNAT --to 192.168.0.190
>
> That worked like a charm. After installing and starting Xen, I found out 
> eth0 became peth0 and being bridged in xenbr0. That's all fine and 
> documented. So I thought I could just alter the incomming interface from 
> eth0 to xenbr0 in the above port forwarding rule:
> iptables -t nat -A PREROUTING -p tcp -i xenbr0 -d $PUBLIC_IP \
>     --dport 80 -j DNAT --to 192.168.0.190
>
> But that doesn't work anymore. The rule's packet counter counts up when 
> sending a packet to port 80, but it does not make it into the FORWARD 
> table of iptables.
> Does xenbr0 block this packet somehow? I've been reading about ebtables, 
> but only got some C source examples.
> Help greatly appreciated.
>
> Regards
>
> Markus
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users