WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] Port forwarding from non-xenbridged external interface to xe

from [Marcel Kossin] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Port forwarding from non-xenbridged external interface to xen-interface
From: Marcel Kossin <mkossin@xxxxxxxxxxxxxx>
Date: Fri, 6 Oct 2006 18:41:07 +0200
Delivery-date: Fri, 06 Oct 2006 09:42:17 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.9.1 
Hello everybody,


I have an odd problem with iptables using a Xen bridge setup. I don't know if 
it would be better to post to netfilter Mailing-List. But I hope someone here 
know how to solve it. If it's OT here, please let me know. I'll try to do a 
little bit ASCII-Graphics to explain the topo better:

                    _________                      ________
192.168.200.100 -> |         |<- 192.168.100.1    |        |
-------------------| Xen Box |--------------------| Server |
                   |      ___| 192.168.100.100 -> |________|
                   |_____|   |
                         | D |
                         | o |
                         | m |<- 192.168.100.x
                         | U |
                         |___|

I want to do port forwarding on IP-adress 192.168.200.100 to 192.168.100.x 
(from Xen Box external to Server or DomU). But for some odd reasons it's not 
working. I'm doing DNAT in PREROUTING-Chain of wlan0. The routing is OK here. 
The Server at 192.168.100.100 responds and the packet hits peth0. 
Unfortunately the packet never passes the bridge to wlan0:

Oct  6 17:05:46 cassini kernel: [ 2696.527510] IN=wlan0 OUT=eth0 
SRC=192.168.200.10 DST=192.168.100.100 LEN=60 TOS=0x10 PREC=0x00 TTL=63 
ID=27165 DF PROTO=TCP SPT=59444 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Oct  6 17:05:46 cassini kernel: [ 2696.527588] IN=xenbr0 OUT=xenbr0 
PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.200.10 DST=192.168.100.100 LEN=60 
TOS=0x10 PREC=0x00 TTL=63 ID=27165 DF PROTO=TCP SPT=59444 DPT=80 WINDOW=5840 
RES=0x00 SYN URGP=0

Oct  6 17:05:46 cassini kernel: [ 2696.527829] IN=xenbr0 OUT=xenbr0 
PHYSIN=peth0 PHYSOUT=vif0.0 SRC=192.168.100.100 DST=192.168.200.10 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=59444 WINDOW=5792 
RES=0x00 ACK SYN URGP=0


If I try the same without port forwarding, but with simple routing (ip_forward 
= 1) it works:

Oct  6 17:07:34 cassini kernel: [ 2804.711278] IN=wlan0 OUT=eth0 
SRC=192.168.200.10 DST=192.168.100.100 LEN=60 TOS=0x10 PREC=0x00 TTL=62 
ID=25088 DF PROTO=TCP SPT=54572 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

Oct  6 17:07:34 cassini kernel: [ 2804.711355] IN=xenbr0 OUT=xenbr0 
PHYSIN=vif0.0 PHYSOUT=peth0 SRC=192.168.200.10 DST=192.168.100.100 LEN=60 
TOS=0x10 PREC=0x00 TTL=62 ID=25088 DF PROTO=TCP SPT=54572 DPT=80 WINDOW=5840 
RES=0x00 SYN URGP=0

Oct  6 17:07:34 cassini kernel: [ 2804.711566] IN=xenbr0 OUT=xenbr0 
PHYSIN=peth0 PHYSOUT=vif0.0 SRC=192.168.100.100 DST=192.168.200.10 LEN=60 
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=54572 WINDOW=5792 
RES=0x00 ACK SYN URGP=0

Oct  6 17:07:34 cassini kernel: [ 2804.711606] IN=eth0 OUT=wlan0 PHYSIN=peth0 
PHYSOUT=vif0.0 SRC=192.168.100.100 DST=192.168.200.10 LEN=60 TOS=0x00 
PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=54572 WINDOW=5792 RES=0x00 ACK 
SYN URGP=0

Tcpdump on external network showed, that even masquerading on the external 
interface (192.168.200.100) of the Xen Box isn't working. It seems to me, as 
if packages won't hit the POSTROUTING-Chain on this interface. I added the 
box called "Server" to check if it works for physical mashines, since I 
encountered the problem while trying to do port forwarding with DomU's. 
Simple routing on the other hand is working without problems.

This is what my interfaces look like (I hope it is OK to cut some of the more 
generic information):

eth0      Link encap:Ethernet  HWaddr 00:02:B3:8F:DF:F5
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3104 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1592 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:324148 (316.5 KiB)  TX bytes:154395 (150.7 KiB)

lo        Link encap:Local Loopback

peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

vif2.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

vif3.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

vif4.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

wlan0     Link encap:Ethernet  HWaddr 00:09:5B:BF:44:D2
          inet addr:192.168.200.100  Bcast:192.168.200.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11714 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3096 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:730920 (713.7 KiB)  TX bytes:659817 (644.3 KiB)
          Interrupt:12

xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:497 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9862 (9.6 KiB)  TX bytes:2752 (2.6 KiB)

The bridge is configured without any changes to the default layout:

bridge name     bridge id               STP enabled     interfaces
xenbr0          8000.feffffffffff       no              vif0.0
                                                        peth0
                                                        vif1.0
                                                        vif2.0
                                                        vif3.0
                                                        vif4.0

I already read the Netfilter Howto and Netfilter NAT Howto. Also I read the 
XenNetworking-FAQ found in XenWiki. I don't understand why this setup is not 
working. Is there anybody who has a hint, link or iptables-snippet for me, 
helping me to understand why this is not working out?

Thank you
Marcel

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Port forwarding from non-xenbridged external interface to xen-interface, Marcel Kossin <=
Previous by Date:  Re: [Xen-users] Trouble trying to use vmware within XEN Dom0, Iustin Pop
Next by Date:  [Xen-users] My 10th virtual machine doesn't start, Luis Raddatz L.
Previous by Thread:  [Xen-users] May be a Bug in network-brigde script (Xen V 3.0.2.2-86), CARON DOminique
Next by Thread:  [Xen-users] My 10th virtual machine doesn't start, Luis Raddatz L.
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy