Hello,
I've installed on a debian squeeze server, xen 4 with one VM which run
in route mode configuration with an IP failover.
I wanted to create another VM which turn in nat mode, so I make that :
- I let my xend-config.sxp with :
(network-script 'network-route netdev=eth0')
(vif-script vif-route)
because my first VM is the most important....
For the second, I put that in cfg file :
vif = [ 'ip=192.168.1.2,mac=00:16:3E:xxxx:xx, script=vif-nat,
vifname=\
vif-debianTest' ]
I modify a little vif-nat :
routing_ip()
{
#echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}')
echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."254}')
}
to have always a static ip as gateway for VM2 (to configure it after in
its interfaces file)
I can ping VM2 from dom0, ping dom0 from VM2, have internet from VM2,
but impossible to make a mapping port between dom0 and domU....
I'd like for example redirect the port 2222 of my dom0 to the port 22 of
VM2 :
I put those rules for iptables for VM2 :
#!/bin/bash
# Reset des tables
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
# Bloquer tout le trafic
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -i vif-debianTest -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to
192.168.\
1.2:22
#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-\
out vif-debianTest -j ACCEPT
#iptables -A FORWARD -p udp -m physdev --physdev-in vif-debianTest -m
udp --spo\
rt 68 --dport 67 -j ACCEPT
#iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m physdev
--physdev-\
out vif-debianTest -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --to-source
my_public_ip
The rules with # was uncommented for testing. but it changes nothing...
# tcpdump -i eth0 tcp port 2222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:54:02.662761 IP lev92-4-88-164-133-124.fbx.proxad.net.21384 >
sd-xxxx.dedibox.fr.2222: Flags [S], seq 2030026446, win 65535, options
[mss 1460,nop,nop,sackOK], length 0
19:54:05.681658 IP lev92-4-88-164-133-124.fbx.proxad.net.21384 >
sd-xxxx.dedibox.fr.2222: Flags [S], seq 2030026446, win 65535, options
[mss 1460,nop,nop,sackOK], length 0
...
It seems tha nothing is forwarded from eth0 to vif-debianTest
But :
# cat /proc/sys/net/ipv4/ip_forward
1
# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1
# cat /proc/sys/net/ipv4/conf/all/forwarding
1
# ifconfig vif-debianTest
vif-debianTest Link encap:Ethernet HWaddr fe:ff:ff:ff:ff:ff
inet adr:192.168.1.254 Bcast:0.0.0.0 Masque:255.255.255.255
adr inet6: fe80::fcff:ffff:feff:ffff/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:3 overruns:0 carrier:0
collisions:0 lg file transmission:32
RX bytes:196 (196.0 B) TX bytes:160 (160.0 B)
I test with a laptop at home and it seems to work if I use network-nat
and vif-nat directly at xend-config.sxp, but I don't understand why it
doesnt work with this configuration :-(
Thanks.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home