WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Networking Help - Routed Configuration with NAT - How to

To: Jason <jason@xxxxxxxxx>
Subject: Re: [Xen-users] Networking Help - Routed Configuration with NAT - How to get Dom0 to NAT its own connections
From: Pierre-Alain RIVIERE <pariviere@xxxxxxxx>
Date: Mon, 22 Oct 2007 15:17:41 +0200
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 22 Oct 2007 06:18:25 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <23438842.331192799141595.JavaMail.root@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Organization: Ippon Technologies
References: <23438842.331192799141595.JavaMail.root@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (X11/20071008)
Hi,

Sending mail from dom0 to domU involves source IP is dom0 one. Your configuration seems to use source IP and the NAT rules only specifies 10.0.66.66, which is your domU IP. This rules can't be succeed when sending mail from domU to dom0. If your redirect rules is built the same way, it also does not work.

By the way, why use dom0 as router and make it available via public IP? I think it should be preferable to make directly your domU available via its public IP. In this cas no need to NAT or whatever and your domU do not handle incoming IP connections.

Jason wrote:
Hi,

After loads of trial and error, I have managed to get a pretty workable network 
configuration set up:

The server is allocated public ips in xxx.xxx.xxx.192/29. Dom0 is bound to 
xxx.xxx.xxx.194-198

Xend is configured to use the default network-route and vif-route scripts.

DomU is to be mail server responding on IP xxx.xxx.xxx.198

DomU network configuration is vif = [ 'ip=10.0.66.66' ]

Set up NAT:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s 10.0.66.66 --to 
xxx.xxx.xxx.198
iptables -t nat -A PREROUTING -i eth0 --dport 25 -j DNAT -d xxx.xxx.xxx.198 
--to 10.0.66.66

At this stage everything works great, Except for one thing:

When Dom0 tries to send mail to the DomU - i.e. connecting to 
xxx.xxx.xxx.198:25 from Dom0, it tries to connect to itself - not DomU!

So in essence it is not NATing its own connections. I figured it is because it 
is configured to listen to xxx.xxx.xxx.198 (thus skipping iptables?) - so I 
unbound it from xxx.xxx.xxx.198 and then it seemed to work fine - for a while - 
until I think the router flushes its ARP cache. So then I started to read up on 
ARP and proxy arp etc... but still am not making much headway.

I would be grateful to anybody able to shed any light / hints on this!


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>