WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Issues with Xen and iptables

On Fri, Jan 29, 2010 at 8:55 PM, Rainer Sokoll <rainer@xxxxxxxxxx> wrote:
> On Fri, Jan 29, 2010 at 08:34:39PM +0700, Fajar A. Nugraha wrote:
>
>> I don't quite understand what you're trying to achieve (why are you
>> using NAT over  vpn?),
>
> There is no NAT over vpn. Routing looks like:
> If the target is the companies network, route the packets into the
> tunnel, no NAT.
> If the target is the internet, route the packets to the ISP's gateway
> and do NAT.

so eth2 is the interface to your ISP? Have you set up routing correctly?

>> - openvpn works just fine on dom0 or domU. Same setup (choice of
>> tun/tap, bridge setup, etc.) that you'd do on a normal box.
>
> Openvpn is not my problem, it works fine. My problem is that I cannot
> get SNAT working. And I am wondering whether Xen could bo the root of my
> problem.

It shouldn't be. RHEL/Centos5 comes with Xen 3.1+ and libvirt, which
creates virbr0 bridge, which does MASQUARADE for domUs on that bridge.
It works as expected. I haven't tried SNAT on it, but if MASQUARADE
works then SNAT should work as well.

You might want to try changing the NAT conditions from using "-o eth2"
to simply using --source and --destination first, with MASQUARADE for
simplicity and easy-debugging. A colleague had some problems a while
back, turned out he uses the wrong interface for "-o".

-- 
Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>