Re: [Xen-users] NET Network / Server running on internal Network not reachable

["Christopher Isip" <cmisip@xxxxxxxxx>]

On Tue, Jul 8, 2008 at 5:44 PM, Massimo Mongardini <massimo.mongardini@xxxxxxxxx> wrote:

Robert,
  I banged my head on this as well once, but having changed direction on the network design I am not 100% sure of the solution/workaround.
If I am not wrong you could try and assign an IP address to the xenbr0 interface and handle DNAT from the bridge or use a lower level filtering like ebtables or iptables physdev module.
I'll have a dig on my notes and let you know if I find something more accurate.
cheers
Massimo

Robert M. Münch wrote:

Hi all, since several days I try to get NAT networking to work, which is driving my nuts... I don't know what to do anymore. Maybe some expert have a good tip for me. I have ready almost anything about this topic and tested most stuff, but still no luck.

I want to run a web-server on a DomU. Hence I used the normal NAT setup from xen.

Current setup & situation

1. DomO can access the internet
2. Dom0 can access the DomU
3. DomU (10.0.0.1) can access the internet
4. DomU can access Dom0

What's not working is that I can't reach the web-server running on DomU.

IFCONFIG Output

eth0      Link encap:Ethernet  HWaddr 00:11:6b:94:d8:ea
         inet addr:87.118.120.16  Bcast:87.118.120.255  Mask:255.255.255.0
         inet6 addr: fe80::211:6bff:fe94:d8ea/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:60115200 errors:0 dropped:0 overruns:0 frame:0
         TX packets:188967 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:1572915748 (1.4 GB)  TX bytes:21158242 (20.1 MB)

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:14 errors:0 dropped:0 overruns:0 frame:0
         TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:700 (700.0 B)  TX bytes:700 (700.0 B)

peth0     Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
         inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
         UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
         RX packets:69824162 errors:7 dropped:41 overruns:2 frame:0
         TX packets:190910 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:611060332 (582.7 MB)  TX bytes:21628510 (20.6 MB)
         Interrupt:21 Base address:0xc00

vif0.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
         inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
         UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
         RX packets:188967 errors:0 dropped:0 overruns:0 frame:0
         TX packets:60115201 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:21158242 (20.1 MB)  TX bytes:1572915818 (1.4 GB)

vif2.0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
         inet addr:10.0.0.128  Bcast:0.0.0.0  Mask:255.255.255.255
         inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:684 errors:0 dropped:0 overruns:0 frame:0
         TX packets:694 errors:0 dropped:3 overruns:0 carrier:0
         collisions:0 txqueuelen:32
         RX bytes:43145 (42.1 KB)  TX bytes:131433 (128.3 KB)

xenbr0    Link encap:Ethernet  HWaddr fe:ff:ff:ff:ff:ff
         UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
         RX packets:7385822 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:460560761 (439.2 MB)  TX bytes:0 (0.0 B)


BRCTL Output

bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                       peth0


IPTABLES -L -t nat Output

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             eisxen              tcp dpt:www to:10.0.0.1:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here I want to forward all traffic coming in for the external IP address (eisxen) to 10.0.0.1:10


IPTABLES -L Output

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             10.0.0.1            tcp dpt:www
ACCEPT     all  --  10.0.0.1             anywhere            PHYSDEV match --physdev-in vif2.0
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV match --physdev-in vif2.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here the idea is that everything going to 10.0.0.1:80 is accepted.


ROUTE -n Output

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 vif2.0
87.118.120.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         87.118.120.1    0.0.0.0         UG    100    0        0 eth0


I can see HTTP request packets coming to my server.

tcpdump -i peth0 host 87.118.120.16 and port 80

tcpdump: WARNING: peth0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on peth0, link-type EN10MB (Ethernet), capture size 68 bytes
21:02:08.669661 IP i59F4B4BF.versanet.de.37269 > eisxen.www: S 3736050736:3736050736(0) win 64000 <mss 1402,nop,wscale 0,nop,nop,timestamp[|tcp]>


But than nothing happens. Everything hangs. Nothing is forwarded/routed to 10.0.0.1:80

I hope anyone can tell me what the problem is or what I should try to get it to work.

Thanks a lot.

--

Massimo Mongardini
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
echo 'Jg!J!hjwf!zpv!bo!bqqmf!boe!zpv!hjwf!nf!bo!bqqmf-!uifo!xf!xjmm!ibwf!bo!bqqmf!fbdi/!Cvu!jg!J!hjwf!zpv!bo!jefb!boe!zpv!hjwf!nf!bo!jefb-!xf!xjmm!ibwf!uxp!jefbt!fbdi!' | perl -pe 's/(.)/chr(ord($1)-1)/ge'
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
http://massimo.mongardini.it
http://www.getthefacts.it
http://www.mongardini.it/pizza-howto
~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~-.-~
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

The easiest way to do IP masquerade is with shorewall.  Try the two interface configuration with one interface the external and the other the internal/bridged interface.

Chris
 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users