|
|
|
|
|
|
|
|
|
|
xen-devel
Re: [Xen-devel] NAT through Dom0 on unstable branch
Am Montag, den 20.06.2005, 11:40 -0700 schrieb Eitan Isaacson:
> Hello,
> I might be the first to encounter this issue, so I think it is worth
> posting...
>
> I am trying to set up a configuration in which a DomU and Dom0 are on
> their own subnet, and DomU accesses the real network through Dom0's
> NAT.
>
> These are the steps that I take (note, these steps worked fine in
> "testing" and "stable" branches):
>
> I first set up a bridge with a private IP:
>
> brctl addbr mybr0
> ip addr add 192.168.0.1/24 dev mybr0
> ip link set mybr0 up
>
> These are my network scripts in the xend config file:
>
> (network-script network-route)
> (vif-script vif-bridge)
> (vif-bridge mybr0)
>
> I start a DomU with an IP of 192.168.0.101, and I am able to ping Dom0
> (192.186.0.1).
>
> I enable IP forwarding, and I set up NAT:
>
> sysctl -w net.ipv4.ip_forward=1 # (if not allready done by xend)
> iptables -t nat -A POSTROUTING -j MASQUERADE \
> -o eth0 -s 192.168.0.1/24
>
> I am able to ping the outside world by IP, but name resolution, or any
> other TCP/IP traffic does not work.
> The very strange part is that tcpdump seems to show packets arriving
> at their destination on the outside world hosts. but besides the ACKs,
> the outside hosts do not respond.
> I am not a networking expert, so I am sorry if my diagnoses is not full.
I cannot see any error (which does not mean that there is no one). Make
sure ("iptables -nL") that the filter chains have all "ACCEPT".
So TCP-SYN hits the target, it answers with TCP-SYN/ACK and the last
step in the TCP handshake (TCP-ACK domU-->target) is missing, right?
Sniff on vif1.0 (or better on domU's eth0) if the targets answer
(TCP-SYN/ACK) arrives at the domU and if the third packet (TCP-ACK)
leaves it. Check ("tcpdump -e") if the frames have the correct
destination MACs.
/nils.
> Here is a bit more info (on Dom0):
> # iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 192.168.0.0/24 anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> # ifconfig
> eth0 Link encap:Ethernet HWaddr 00:0F:1F:8C:17:D6
> inet addr: 10.0.20.10 Bcast:10.0.255.255 Mask:255.255.0.0
> UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:30868 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1121 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:8172500 (7.7 Mb) TX bytes:158965 (155.2 Kb)
> Base address:0xdf40 Memory:fcfe0000-fd000000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:5 errors:0 dropped:0 overruns:0 frame:0
> TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:288 (288.0 b) TX bytes:288 (288.0 b)
>
> mybr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> inet addr:192.168.0.1 Bcast:0.0.0.0 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:12 errors:0 dropped:0 overruns:0 frame:0
> TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:834 (834.0 b) TX bytes:938 (938.0 b)
>
> vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:13 errors:0 dropped:0 overruns:0 frame:0
> TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1044 (1.0 Kb) TX bytes:812 (812.0 b)
>
> # brctl show
> bridge name bridge id STP enabled interfaces
> mybr0 8000.feffffffffff no vif1.0
--
there is no sig
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
|
|