This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-devel] iptables nat redirect

To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] iptables nat redirect
From: Jeff Clark <jeff@xxxxxxxxxxxxx>
Date: Mon, 13 Oct 2003 12:43:32 -0700
Delivery-date: Mon, 13 Oct 2003 20:44:16 +0100
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: <E1A98LM-0002Wy-00@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <E1A98LM-0002Wy-00@xxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030924 Thunderbird/0.3
Keir Fraser wrote:

I'm trying to do a nat redirect (traffic redirected from a router, not originally for the machine). I can see the network traffic, but the iptable rules do not appear to do anything. Is this possible on a virtual domain, and if not what needs to be done?

This should work okay from domain 0. Domain 0 is allowed to send any
packet to the physical network. Also, packets that match no other rule
are forwarded to domain 0.

iptables -L -v and
iptables -tnat -L -v

may help --- they tell you how many packets have matched each iptables
rule. You might therefore be able to work out whether packets are
reaching domain 0 and, if so, where they are getting misdirected.

-- Keir
I have verified that it does work on domain 0, but I'm actually trying to do the redirect on a different domain (non 0).

The router is using GRE to encapsulate traffic to the virtual machine. (verified working) The GRE interface on the virtual machine decapsulates the packet. (verified working) The iptable rule on the virtual machine matches the packet (verified working) The iptable rule on the virtual machine redirects the packet to a local port (not working)

Any suggestions?


This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>