xen-users

[Top] [All Lists]

Re: [Xen-users] 3.0.2 NAT headaches

from [John Wells]

[Permanent Link][Original]

To:	"John Wells" <groups@xxxxxxxxxxxxxxxxxxxxx>
Subject:	Re: [Xen-users] 3.0.2 NAT headaches
From:	"John Wells" <groups@xxxxxxxxxxxxxxxxxxxxx>
Date:	Tue, 8 Aug 2006 16:16:18 -0400 (EDT)
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Tue, 08 Aug 2006 12:58:56 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
Importance:	Normal
In-reply-to:	<64093.66.192.236.118.1155063292.squirrel@xxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<55395.66.192.236.118.1155055656.squirrel@xxxxxxxxxx><64093.66.192.236.118.1155063292.squirrel@xxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	SquirrelMail/1.4.3a-11.EL3.TL1

John Wells said:
> So, hoping someone might tell me what iptables rules I need to enter to
allow traffic from my domUs (10.0.0.1, 10.0.0.2, etc) to access the
public
> internet. I've done it before for home routing, but Xen has me a little
turned around.

I ran a tcpdump on eth0 on dom0 while pinging an external host from a
domU. I noticed:

14:54:18.376525 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 1
14:54:19.375706 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 2
14:54:20.375782 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 3
14:54:21.375805 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 4
14:54:22.375799 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 5

Which looked like the internal ip wasn't being MASQ'd appropriately. I
then set up the following rule:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The dump changed to:

14:55:02.481531 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 1
14:55:03.486494 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 2
14:55:04.486541 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 3
14:55:05.496515 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 4
14:55:06.496574 IP 72.232.35.26 > 72.36.190.2: icmp 64: echo request seq 5

But the domU is still not receiving any traffic back.

If I dump on the vif, I get:

port:/etc/xen# tcpdump -i vif8.0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vif8.0, link-type EN10MB (Ethernet), capture size 96 bytes
14:57:33.519040 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 152
14:57:34.518987 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 153
14:57:35.519023 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 154
14:57:36.519027 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 155
14:57:37.519054 IP 10.0.0.2 > 72.36.190.2: icmp 64: echo request seq 156

I keep seeing this in the syslog:
--
Aug  8 14:55:38 port kernel: Performing cross-bridge DNAT requires IP
forwarding to be enabled
--

Am I still missing something? Does NAT'ing this way only work for
communication between domUs?

Thanks guys.

John


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-users] 3.0.2 NAT headaches, John Wells RE: [Xen-users] 3.0.2 NAT headaches, Roger Lucas RE: [Xen-users] 3.0.2 NAT headaches, John Wells Re: [Xen-users] 3.0.2 NAT headaches, John Wells Re: [Xen-users] 3.0.2 NAT headaches, John Wells <= Re: [Xen-users] 3.0.2 NAT headaches, John Wells Re: [Xen-users] 3.0.2 NAT headaches, John Wells

Previous by Date:	[Xen-users] PCI Frontend causes Kernel Panic in Dom0, Ernie Fontes
Next by Date:	Re: [Xen-users] 3.0.2 NAT headaches, John Wells
Previous by Thread:	Re: [Xen-users] 3.0.2 NAT headaches, John Wells
Next by Thread:	Re: [Xen-users] 3.0.2 NAT headaches, John Wells
Indexes:	[Date] [Thread] [Top] [All Lists]