WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] xen breaks iptables

To: Markus Schiltknecht <markus@xxxxxxxxxx>
Subject: Re: [Xen-users] xen breaks iptables
From: Markus Schiltknecht <markus@xxxxxxxxxx>
Date: Thu, 16 Nov 2006 14:22:48 +0100
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 16 Nov 2006 05:23:06 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <455C3E03.6070703@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <455C3E03.6070703@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Icedove 1.5.0.7 (X11/20061013)
Hi,

in the Shorewall Xen FAQ at [1] I'm reading the following:

"I know of no case where a user has successfully used NAT (including Masquerade) in a bridged Xen Dom0. So if you want to create a masquerading firewall/gateway using Xen, you need to do so in a DomU (see how I did it) or you must configure Xen to use routing or NAT rather than the default bridging."

Why shuffling around the Dom0 interfaces (eth0 -> peth0) at all? Can I configure Xen to not do that and just provide me a tap device I can route / bridge however I want, like qemu does?

Regards

Markus

[1]: http://www.shorewall.net/Xen.html

Markus Schiltknecht wrote:
Hi,

I'm struggling with my iptables configuration since I've installed Xen. Before, I had the host/dom0 doing port forwarding with:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d $PUBLIC_IP \
    --dport 80 -j DNAT --to 192.168.0.190

That worked like a charm. After installing and starting Xen, I found out eth0 became peth0 and being bridged in xenbr0. That's all fine and documented. So I thought I could just alter the incomming interface from eth0 to xenbr0 in the above port forwarding rule:

iptables -t nat -A PREROUTING -p tcp -i xenbr0 -d $PUBLIC_IP \
    --dport 80 -j DNAT --to 192.168.0.190

But that doesn't work anymore. The rule's packet counter counts up when sending a packet to port 80, but it does not make it into the FORWARD table of iptables.

Does xenbr0 block this packet somehow? I've been reading about ebtables, but only got some C source examples.

Help greatly appreciated.

Regards

Markus

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>