WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] can't get NAT to a VM on domU working

The XEN-Script I am using. But only to switch to nat.
I did only overwrite the firewall rules. It works without them. But security isn't the important thing in my configuration, because in my dom0 won't run any services.
 
Greets,
Hardy
----- Original Message -----
Sent: Saturday, April 22, 2006 8:51 PM
Subject: Re: [Xen-users] can't get NAT to a VM on domU working

Thanks Hardy, I will give your scritpt a try. However I have one question: Did you not use the xen networkd scripts (/etc/xen/xend-config.sxp) at all or did you just overwrite their firewall rules ?

regards
Roberto


On 4/22/06, Hardy Wolf < hardy@xxxxxxxxxxxxxxxx> wrote:
Hi,
 
I am using nat in XEN 3.0.1 and it works.
I have one dom0 and one domU, but I think it will work for more domUs, too.
 
I have a iptables-script, that runs on every bootup:
 
 
========== SNIP ==========
#!/bin/bash
ipt=/sbin/iptables
 
 
$ipt -F -t nat
$ipt -F
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
 
echo "1" > /proc/sys/net/ipv4/ip_forward
 
# SSH
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 22 -j DNAT --to 10.0.0.3
# FTP
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 21 -j DNAT --to 10.0.0.3
# FTP-Passive Ports
$ipt -t nat -A PREROUTING -d $extip -p tcp --dport 10001:10020 -j DNAT --to 10.0.0.3
 
$ipt -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
========== SNAP ==========
 
That's it.
 
If you want to change the destination port (i.e. --to 10.0.0.3:22), I think it will work, too.
 
Important are the lines
 -> echo "1" ...
ans
 -> ... MASQUERADE
 
So any network traffic to outside is possible and inbound traffic for the specified ports.
 
This script has a further function: The lines beginning with "$ipt -F" will first delete all existing rules and then overwrite with the new ones. So you can upgrade your script with a further rule (or delete a rule) and run it without any connection loss.



--
Roberto Saccon
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>