WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] network-nat problem

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] network-nat problem
From: "Robin Ericsson" <lobbin@xxxxxxxxx>
Date: Tue, 5 Jun 2007 12:34:46 +0200
Delivery-date: Tue, 05 Jun 2007 03:33:02 -0700
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ovn/enARYDCkk8OEKPAPHmaK/ziMODTRFpxZTfTWPFXy/6rA5DovV272YVPPPGQ0S3oQdCEPwGos0xUZ/zAu9bZx6wHHEQED99YGcCbN6aePiFgiRRIYSfwaZg/oI/I4UQD+mxD44Yb1LW/XWOi0GtnO3SeVOGwpFWOc3CWG7Ao=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mrmAsUuNysUDG1qepm0F4WHqJ91MtevDqmVeYwbRElWuxaLhkCPdmG6Y7wbL+YkELpXEunk3jj218shd2fVjvUNNZ8DsigNnDnw9ECn0cJXjJxWrXeSqDczCGTs+zIVUOXnMLMsb31ntkzDL6QGY8obio/DznFX0m3SW8NemtuA=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

I'm trying get few domUs using network-nat, but something in my
configuration is blocking internet access from the domUs.

xend-config.sxp:
(network-script network-nat)
(vif-script vif-nat)

xm profile:
kernel = "/boot/vmlinuz-xen"
ramdisk = "/boot/initrd-xen"
extra = "text"
name = "web"
memory = "128"
disk = [ 'tap:aio:/var/lib/xen/web.img,xvda,w', ]
vif = [ 'ip=10.0.0.3, vifname=vif_web' ]

My interface comes up ok and I can ping this ip from dom0.
vif_web   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
         inet addr:10.0.0.130  Bcast:0.0.0.0  Mask:255.255.255.255
         inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:259 errors:0 dropped:0 overruns:0 frame:0
         TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:32
         RX bytes:17088 (16.6 KiB)  TX bytes:23370 (22.8 KiB)

However, when I try to install CentOS on the domU I can't get out on
the internet. tcpdumping on vif_web tells me this:
12:17:15.759461 IP 10.0.0.3.1024 > dns1-fast.swip.net.domain:  4382+
A? mirror.nsc.liu.se. (35)
12:17:15.759516 IP 10.0.0.130 > 10.0.0.3: ICMP host dns1-fast.swip.net
unreachable - admin prohibited, length 71
12:17:15.759977 IP 10.0.0.3.1024 > dns1-fast.swip.net.domain:  4382+
A? mirror.nsc.liu.se. (35)
12:17:15.760026 IP 10.0.0.130 > 10.0.0.3: ICMP host dns1-fast.swip.net
unreachable - admin prohibited, length 71

Which means this is somehow blocked by my iptables. This is the rule:
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

I've tried to add a MASQ rule "-t nat -A POSTROUTING -o eth0 -j
MASQUERADE" but doesn't seem to help either. Any hints where I can
test this further?

--
       regards,
       Robin

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] network-nat problem, Robin Ericsson <=