This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] NAT through Dom0 on unstable branch

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] NAT through Dom0 on unstable branch
From: Toens Bueker <toens.bueker@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jun 2005 21:15:13 +0200
Delivery-date: Tue, 21 Jun 2005 20:11:48 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <fa8d26480506201140246713f7@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <fa8d26480506201140246713f7@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
Eitan Isaacson <ee.jay.eye@xxxxxxxxx> wrote:

> These are the steps that I take (note, these steps worked fine in
> "testing" and "stable" branches):
> I first set up a bridge with a private IP:
> brctl addbr mybr0
> ip addr add dev mybr0
> ip link set mybr0 up
> These are my network scripts in the xend config file:
> (network-script     network-route)
> (vif-script         vif-bridge)
> (vif-bridge         mybr0)
> I start a DomU with an IP of, and I am able to ping Dom0
> (
> I enable IP forwarding, and I set up NAT:
> sysctl -w net.ipv4.ip_forward=1  # (if not allready done by xend)
> iptables -t nat -A POSTROUTING -j MASQUERADE \
>   -o eth0 -s

An alternative solution would be:

iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT \ 
         --to-source <your.public.ip.address>

for incoming connections you could do some portforwarding:

iptables -t nat -A PREROUTING -i eth0 -d <your.public.ip.address> \ 
         -p tcp --dport 80 -j DNAT --to-dest <ip.address.of.domU>

There is no safe distance.

Xen-devel mailing list