| |
|
 |
|
 |
|
|
|
| |
|
|
xen-users
Re: [Xen-users] xen breaks iptables
Hi,
in the Shorewall Xen FAQ at [1] I'm reading the following:
"I know of no case where a user has successfully used NAT (including
Masquerade) in a bridged Xen Dom0. So if you want to create a
masquerading firewall/gateway using Xen, you need to do so in a DomU
(see how I did it) or you must configure Xen to use routing or NAT
rather than the default bridging."
Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I
configure Xen to not do that and just provide me a tap device I can
route / bridge however I want, like qemu does?
Regards
Markus
[1]: http://www.shorewall.net/Xen.html
Markus Schiltknecht wrote:
Hi,
I'm struggling with my iptables configuration since I've installed Xen.
Before, I had the host/dom0 doing port forwarding with:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d $PUBLIC_IP \
--dport 80 -j DNAT --to 192.168.0.190
That worked like a charm. After installing and starting Xen, I found out
eth0 became peth0 and being bridged in xenbr0. That's all fine and
documented. So I thought I could just alter the incomming interface from
eth0 to xenbr0 in the above port forwarding rule:
iptables -t nat -A PREROUTING -p tcp -i xenbr0 -d $PUBLIC_IP \
--dport 80 -j DNAT --to 192.168.0.190
But that doesn't work anymore. The rule's packet counter counts up when
sending a packet to port 80, but it does not make it into the FORWARD
table of iptables.
Does xenbr0 block this packet somehow? I've been reading about ebtables,
but only got some C source examples.
Help greatly appreciated.
Regards
Markus
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
|
|
| |
|
Home