[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-users] NET Network / Server running on internal Network not reachable
- To: "Massimo Mongardini" <massimo.mongardini@xxxxxxxxx>
- From: "Christopher Isip" <cmisip@xxxxxxxxx>
- Date: Tue, 8 Jul 2008 22:34:01 -0400
- Cc: "\"Robert M. Münch\"" <robert.muench@xxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
- Delivery-date: Tue, 08 Jul 2008 19:34:45 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=vTWZB9oN+FaM5nZ6Vdo7NYD3zdUj/B6md/yaw5mXXjfICLr2MZNwagwFXWOjrb5+BM MXILrQxhnlDqnhgSuNVPlEY1oH20d+mGtl3egMoxCapFF8uWVdpGkwwxvMaExn8KGn8+ vZyuzFb57iccUBxep4AXyVEM5lVXnRVoerbrQ=
- List-id: Xen user discussion <xen-users.lists.xensource.com>
On Tue, Jul 8, 2008 at 5:44 PM, Massimo Mongardini < massimo.mongardini@xxxxxxxxx> wrote:
Robert,
I banged my head on this as well once, but having changed direction on the network design I am not 100% sure of the solution/workaround.
If I am not wrong you could try and assign an IP address to the xenbr0 interface and handle DNAT from the bridge or use a lower level filtering like ebtables or iptables physdev module.
I'll have a dig on my notes and let you know if I find something more accurate.
cheers
Massimo
Robert M. Münch wrote:
Hi all, since several days I try to get NAT networking to work, which is driving my nuts... I don't know what to do anymore. Maybe some expert have a good tip for me. I have ready almost anything about this topic and tested most stuff, but still no luck.
I want to run a web-server on a DomU. Hence I used the normal NAT setup from xen.
Current setup & situation
1. DomO can access the internet
2. Dom0 can access the DomU
3. DomU (10.0.0.1) can access the internet
4. DomU can access Dom0
What's not working is that I can't reach the web-server running on DomU.
IFCONFIG Output
eth0 Link encap:Ethernet HWaddr 00:11:6b:94:d8:ea
inet addr:87.118.120.16 Bcast:87.118.120.255 Mask:255.255.255.0
inet6 addr: fe80::211:6bff:fe94:d8ea/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:60115200 errors:0 dropped:0 overruns:0 frame:0
TX packets:188967 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1572915748 (1.4 GB) TX bytes:21158242 (20.1 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:700 (700.0 B) TX bytes:700 (700.0 B)
peth0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:69824162 errors:7 dropped:41 overruns:2 frame:0
TX packets:190910 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:611060332 (582.7 MB) TX bytes:21628510 (20.6 MB)
Interrupt:21 Base address:0xc00
vif0.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:188967 errors:0 dropped:0 overruns:0 frame:0
TX packets:60115201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21158242 (20.1 MB) TX bytes:1572915818 (1.4 GB)
vif2.0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:684 errors:0 dropped:0 overruns:0 frame:0
TX packets:694 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:43145 (42.1 KB) TX bytes:131433 (128.3 KB)
xenbr0 Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:7385822 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:460560761 (439.2 MB) TX bytes:0 (0.0 B)
BRCTL Output
bridge name bridge id STP enabled interfaces
xenbr0 8000.feffffffffff no vif0.0
peth0
IPTABLES -L -t nat Output
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere eisxen tcp dpt:www to:10.0.0.1:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here I want to forward all traffic coming in for the external IP address (eisxen) to 10.0.0.1:10
IPTABLES -L Output
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.1 tcp dpt:www
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif2.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 udp spt:bootpc dpt:bootps
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here the idea is that everything going to 10.0.0.1:80 is accepted.
ROUTE -n Output
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 vif2.0
87.118.120.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 87.118.120.1 0.0.0.0 UG 100 0 0 eth0
I can see HTTP request packets coming to my server.
tcpdump -i peth0 host 87.118.120.16 and port 80
tcpdump: WARNING: peth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on peth0, link-type EN10MB (Ethernet), capture size 68 bytes
21:02:08.669661 IP i59F4B4BF.versanet.de.37269 > eisxen.www: S 3736050736:3736050736(0) win 64000 <mss 1402,nop,wscale 0,nop,nop,timestamp[|tcp]>
But than nothing happens. Everything hangs. Nothing is forwarded/routed to 10.0.0.1:80
I hope anyone can tell me what the problem is or what I should try to get it to work.
Thanks a lot.
--
Massimo Mongardini
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
echo 'Jg!J!hjwf!zpv!bo!bqqmf!boe!zpv!hjwf!nf!bo!bqqmf-!uifo!xf!xjmm!ibwf!bo!bqqmf!fbdi/!Cvu!jg!J!hjwf!zpv!bo!jefb!boe!zpv!hjwf!nf!bo!jefb-!xf!xjmm!ibwf!uxp!jefbt!fbdi!' | perl -pe 's/(.)/chr(ord($1)-1)/ge'
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
http://massimo.mongardini.it
http://www.getthefacts.it
http://www.mongardini.it/pizza-howto
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html The easiest way to do IP masquerade is with shorewall. Try the two interface configuration with one interface the external and the other the internal/bridged interface.
Chris
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|