|
Hi,
I am using nat in XEN 3.0.1 and it
works.
I have one dom0 and one domU, but I think it
will work for more domUs, too.
I have a iptables-script, that runs on every
bootup:
========== SNIP ==========
#!/bin/bash
ipt=/sbin/iptables
extip=72.232.68.66
$ipt -F -t nat
$ipt -F
$ipt -P FORWARD
ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
echo "1" >
/proc/sys/net/ipv4/ip_forward
# SSH
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport
22 -j DNAT --to 10.0.0.3
# FTP $ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT
--to 10.0.0.3
# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d
$extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3
$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j
MASQUERADE
========== SNAP ==========
That's it.
If you want to change the destination port (i.e.
--to 10.0.0.3:22), I think it will work, too.
Important are the lines
-> echo "1" ...
ans
-> ... MASQUERADE
So any network traffic to outside is possible and
inbound traffic for the specified ports.
This script has a further function: The lines
beginning with "$ipt -F" will first delete all existing rules and then overwrite
with the new ones. So you can upgrade your script with a further rule (or delete
a rule) and run it without any connection loss.
----- Original Message -----
Sent: Saturday, April 22, 2006 3:22
AM
Subject: [Xen-users] can't get NAT to a
VM on domU working
Hi all
I set up a debian sarge box with XEN 3.0 and LVM
at my ISP. dom0 has a range of public IPs. As long as I used bridged
networking to the VMs, everything worked fined, I could access all VMs by
their IP .
Then I switched in /etc/xen/xend-config.sxp to private virtal
domU network with NAT :
(network-script
network-nat)
(vif-script vif-nat)
and gave the VMs IPs in the 10.0.0.x
range
and I set on dom0 the follwing NAT rule for SSH access do a VM in domU
Now I can't access the VM
from outside anymore, SSH Client to 72.232.68.66 :9641 keeps hanging. However I can ping
the VMs in domU from dom0 and vice versa and also ping a VM form another VM. I
do not have setup any addtional iptables rules.
The filter rules
generted by the XEN scripts produced the following (iptables
-L):
Chain INPUT (policy
ACCEPT)target prot
opt
source
destination Chain FORWARD (policy
ACCEPT)target prot
opt
source
destination ACCEPT
all -- 10.0.0.1
anywhere
PHYSDEV match --physdev-in vif5.0ACCEPT
udp --
anywhere
anywhere
PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootpsACCEPT
all -- 10.0.0.2
anywhere
PHYSDEV match --physdev-in vif6.0ACCEPT
udp --
anywhere
anywhere
PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootpsACCEPT
all -- 10.0.0.2
anywhere
PHYSDEV match --physdev-in vif7.0ACCEPT
udp --
anywhere
anywhere
PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT
all -- 10.0.0.2
anywhere
PHYSDEV match --physdev-in vif8.0ACCEPT
udp --
anywhere
anywhere
PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootpsChain OUTPUT (policy
ACCEPT)target prot
opt
source
destination
And the NAT rules I
get:
target prot
opt
source
destinationDNAT
tcp --
anywhere
66.68.232.72.reverse.layeredtech.com
tcp dpt:9641 to:10.0.0.1:22Chain POSTROUTING (policy
ACCEPT)target prot
opt
source
destinationChain OUTPUT (policy
ACCEPT)target prot
opt
source
destination
Has anybody a clue what is
missing to get the NAT working ? I had the impression that private NATted
Network with XEN 3.0 is supposed to work out of the box when using
the XEN provided scripts, so there must be somthing I am doing stupidly wrong
!
regards
--
Roberto Saccon
_______________________________________________
Xen-users mailing
list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home