[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Issues with Xen and iptables



On Fri, Jan 29, 2010 at 10:05 PM, Rainer Sokoll <r.sokoll@xxxxxxxxxxxx> wrote:
> Rainer Sokoll schrieb:
>> On Fri, Jan 29, 2010 at 09:09:23PM +0700, Fajar A. Nugraha wrote:
>>
>>> You might want to try changing the NAT conditions from using "-o eth2"
>>> to simply using --source and --destination first, with MASQUARADE for
>>> simplicity and easy-debugging. A colleague had some problems a while
>>> back, turned out he uses the wrong interface for "-o".
>>
>> If I follow your instructions, I see the natted (yeah!) packets on
>> vif0.1 - but nothing on eth2 (where the default route sits) - for both
>> SNAT and MASQUERADE.
>
> It is getting more strange:
>
> brctl show
> bridge name     bridge id               STP enabled     interfaces
> xenbr0          8000.000000000000       no
> xenbr1          8000.00ff746a4f25       no              vif0.1
>                                                        peth1
>                                                        vif1.0
>                                                        tap0

That is weird. Usually xenbr0 is connected to vif0.0 and peth0. Did
you change the default network-bridge script?

>
> As said, if I tcpdump on vif0.1, I see natted packets. But if I tcpdump
> on xenbr0, I see the same packets, but not natted.

That usually means packets come in (or originating from) xenbr0, and
routed to eth1 (thus mirrored to vif0.0, and go out the wire from
peth1)

> I worry that I am missing something fundamental :-(

What packets are you using to test, ping from the dom0? from domU?
from other hosts on the network? To where?

At this point I'd have to say a complete description of your network
might be necessary. netstat -nr, iptables -nL, iptables -nL -t nat,
and so on. Without that it's hard to diagnose further.

In any case, this is not really xen-specific issue (although the
bridge setup might make it a little bit more confusing). You might
find it easier to use domU as router/firewall.

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.