Re: [Xen-users] Xen 3.4.2 networking help

To:	lists@xxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	Re: [Xen-users] Xen 3.4.2 networking help
From:	Alexander Zherdev <azherdev@xxxxxxxxx>
Date:	Wed, 27 Oct 2010 23:22:54 -0700 (PDT)
Cc:
Delivery-date:	Wed, 27 Oct 2010 23:24:20 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1288246975; bh=2hWsvV/xpY8xWY6gT7zMUGtVnbzoKHsO2LCXjlkT6KA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=nVa44bEUSnHM6RXEJsoe2u13NXyNa6EkU/j0GU613mOPV47fK0eGxd5k3KuqAOCpVv6CAeBTOoAT3czfjzqDGZY77WACUNVk217sHjZ5Q1hgYt1n1cJF0wi205wDKCScZhSbYyaeaTnXFbxhJi24CJ27hV6zLf3/CanTbhwghwg=
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=DeDOXR2llQ9Cx9OL4X/6+lD2aE6KcJlHVyZ4M1eZooqLHFJ45eYvJqPsH3oox3sAUF+fLE1KIbGhxHP+DXFTxCIcV4f2ksQRx8JGLd3RhiHzQWbwmxJu8FI/pHRDx7CvVU4rphjqHl34TJXlocBnwbkoSgGYx95LquBqjGTWhFw=;
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<1288172445.4298.133.camel@E4310>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1288112346.2867.147.camel@E4310> <748447.30378.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1288172445.4298.133.camel@E4310>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Thomas,

Thank you for your explanation. Here is where I am right now.

I have the standard network bridge scripts fired off with xen:
    network-bridge
    vif-bridge

The DomU is DHCP and gets an ip of 192.168.122.150/24 with 192.168.122.1 as GW+DNS from the dnsmasq service running on Dom0.

Dom0 has the following network (CentOS xen):
    - 1.2.3.64/27 network
    - 1.2.3.65 gateway
    - 1.2.3.67 on eth0 which is what I use for Dom0 communication (ssh)
    - 1.2.3.70 is the 2nd IP tied to eth0:1 of Dom0 that I want to use as direct mapping to one of my DomU

DomU has the following network (Windows 2003 HVM):
    - 192.168.122.0/24
    - 192.168.122.1 gateway
    - 192.168.122.150 IP

When I boot DomU I can:
    - Ping from Dom0 to DomU 192.168.122.150
    - Ping from DomU to Dom0 192.168.122.1 as well as www.google.com, 1.2.3.67, etc.
    - Surf the web on DomU

So the setup that you have suggested appears to work using the default xen scripts.

I then ran the iptables commands that you suggested for the 1:1 NAT as follows:

iptables -t nat -A PREROUTING -d 1.2.3.70 -j DNAT --to-destination 192.168.122.150
iptables -t nat -A POSTROUTING -s 192.168.122.150 -j SNAT --to-source 1.2.3.70

But I can not access the system from outside. I did a tcpdump and I see the 1.2.3.70 being requested for the RDP port and it replies back as no port found. No forwarding of any sort.

Could this be because my Dom0 and DomU have different subnets? My Dom0 is on /27 and my DomU reside on /24. I feel like I'm a command line away from accomplishing this.

At the risk of being redundant, here is what I see with iptables and ip r s with the above setup:

ifconfig:

eth0 - 1.2.3.67/27
eth0:1 - 1.2.3.70/27
peth0 - noip
tap1.0 - noip
vif1.0 - noip
virbr0 - 192.168.122.1/24

iptables:
------------------------
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp -- anywhere             anywhere            udp dpt:domain
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:domain
ACCEPT     udp -- anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp -- anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all -- anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all -- 192.168.122.0/24     anywhere
ACCEPT     all -- anywhere             anywhere
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all -- anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip r s
----------------------

96.44.171.64/27 dev eth0 proto kernel scope link src 96.44.171.67
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
169.254.0.0/16 dev eth0 scope link
default via 96.44.171.65 dev eth0

Alexander Zherdev
azherdev@xxxxxxxxx

From: Thomas Halinka <lists@xxxxxxxxx>
To: Alexander Zherdev <azherdev@xxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Wed, October 27, 2010 2:40:45 AM
Subject: Re: [Xen-users] Xen 3.4.2 networking help

Hi Again,

just a short step-by-step guide.

Am Dienstag, den 26.10.2010, 23:54 -0700 schrieb Alexander Zherdev:
> Pardon my long email below, I hope it will shed some light.
>
> I've googled and tried various things but nothing seem to work. I have
> upgraded to 3.4.3 of Xen and the kernel had an update too.

so u had a lot of fun ;-)

> My brain is fried right now. The only thing that seems to work is
> bridged mode. In bridged mode, my DomU gets the DHCP from dnsmasq and
> it can then surf the web. But I can't get to it from outside. In route
> or nat mode, the DomU can't even get out. Below is a test in NAT mode
> of xend.

Dont use NAT - its just MASQUERADING! Communication from internet would
be only possible through portforwarding....

> Below I have a pretty verbose output of iptables, ip r, and ifconfig
> right after I boot the physical server, then after I start the DomU,
> and then after I apply the SNAT and DNAT settings (only ip r changes
> then).
>
> I appreciate any help that you have.
>
> -----------------------------
>
> Kernel: 2.6.18-194.17.4.el5xen
> Xen: 3.4.3
> Source: www.gitco.de
>
> /etc/xen/xend-config.sxp
> (network-nat)
> (vif-nat)

Please do the following.

- Disable default Firewall (only to get ur setup running)
# service iptables off

- Write down a ugly script, something like:

#!/bin/bash
# i used /27 since your public-net was /27 too
# 192.168.128.65 is dom0-IP
brctl addbr xen-privatelan
ip a a 192.168.128.65/27 dev xen-privatelan
ifconfig xen-privatelan up
echo 1 > /proc/sys/net/ipv4/ip_forward

- and save it e.g. to
/etc/xen/scripts/network-mynet

- make it executable
chmod +x /etc/xen/scripts/network-mynet

- change any kind of xen-networking-script to e.g.
...
(network-script network-mynet)
(vif-script vif-bridge)
.....

######## reboot ur dom0 #####################

After reboot setup your windows-box to use the bridge "xen-privatelan"

- change domU.cfg

...
vif = [ 'type=ioemu, bridge=xen-privatelan, mac=00:16:3e:00:01:02' ]
.....

- start ur domU
- setup nw-settings in domU (192.168.128.70/27 gw: 192.168.128.65)
^^^^ dom0-IP

- at this point u should be able to ping dom0 from ur domU!
access to internet and from internet to domU should NOT work
Otherwise triplecheck "brctl show", ip r s, and friends...

- Setup "1:1-NAT"

iptables -t nat -A PREROUTING -d XXX.XXX.XXX.70 -j DNAT
--to-destination 192.168.128.70

iptables -t nat -A POSTROUTING -s 192.168.128.70 -j SNAT --to-source
XXX.XXX.XXX.70

--> domU has internal IP 192.168.128.70 and is reachable via externalIP
XXX.XXX.XXX.70

--> domU should be able to ping the "internet"
--> domU should be available from "internet" trough XXX.XXX.XXX.70

Am i right? :-)

cu,

thomas

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] Xen 3.4.2 networking help