WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] bridge and masquerade

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] bridge and masquerade
From: Michele Petrazzo - Unipex srl <michele.petrazzo@xxxxxxxxx>
Date: Sun, 03 Jun 2007 13:09:27 +0200
Delivery-date: Sun, 03 Jun 2007 04:07:57 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b1) Gecko/20060724 Thunderbird/2.0a1 Mnenhy/0.7.4.0
Hi all,
I'm crazing with nat! My environment:

xen debian etch amd64 (default deb kernel, so xen 3.0.3).

eth0 192.168.1.240/24 gw 192.168.1.254
eth1 10.0.0.1/8

network if bridged and only the eth0/1 has a valid address (so all except eth0/1 has "inet addr"):

srv-xen:~# ifconfig | grep HWadd
eth0      Link encap:Ethernet  HWaddr 00:15:17:18:5D:AC
eth1      Link encap:Ethernet  HWaddr 00:15:17:18:5D:AD
peth0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
peth1     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif0.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif0.1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif2.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
vif2.1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
xenbr0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
xenbr1    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF

on eth1 I have a pc with 10.0.19.254 (that have gw 10.0.0.1) that try to
connect to 66.249.93.104 (google.it), but on the xen machine logs I see
"martian source" :(. I try all the configurations found on the net, but
none work!.
My iptables:
$IP -t nat -A PREROUTING -j LOG --log-prefix "$PREFIX MASQ-PRE- "
$IP -t nat -A POSTROUTING -j LOG --log-prefix "$PREFIX MASQ-POST- "

$IP -t nat -A POSTROUTING -s 10.0.0.0/8 -m physdev --physdev-in peth1 -j MASQUERADE

Log:

Jun 3 12:48:12 srv-xen kernel: Firewall MASQ-PRE- IN=xenbr1 OUT= PHYSIN=peth1 MAC=00:15:17:18:5d:ad:00:0f:b0:df:f9:82:08:00 SRC=10.0.19.254 DST=66.249.93.104 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52054 DF PROTO=TCP SPT=58536 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 3 12:48:12 srv-xen kernel: Firewall DROPPRE- IN=xenbr1 OUT= PHYSIN=peth1 MAC=00:15:17:18:5d:ad:00:0f:b0:df:f9:82:08:00 SRC=10.0.19.254 DST=66.249.93.104 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52054 DF PROTO=TCP SPT=58536 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 3 12:48:12 srv-xen kernel: Firewall MASQ-POST- IN= OUT=xenbr1 PHYSIN=peth1 PHYSOUT=vif0.1 SRC=10.0.19.254 DST=66.249.93.104 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52054 DF PROTO=TCP SPT=58536 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 3 12:48:12 srv-xen kernel: Firewall MASQ-PRE- IN=eth1 OUT= MAC=00:15:17:18:5d:ad:00:0f:b0:df:f9:82:08:00 SRC=192.168.1.240 DST=66.249.93.104 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52054 DF PROTO=TCP SPT=58536 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 3 12:48:12 srv-xen kernel: Firewall DROPPRE- IN=eth1 OUT= MAC=00:15:17:18:5d:ad:00:0f:b0:df:f9:82:08:00 SRC=192.168.1.240 DST=66.249.93.104 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=52054 DF PROTO=TCP SPT=58536 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 Jun 3 12:48:12 srv-xen kernel: martian source 66.249.93.104 from 192.168.1.240, on dev eth1 Jun 3 12:48:12 srv-xen kernel: ll header: 00:15:17:18:5d:ad:00:0f:b0:df:f9:82:08:00


If I try to DNAT all the come from peth1 (that wants to go outside) to
10.0.0.0 or 192.168.1.240 (my xen addr), the "out" interface are, of
course ,"lo" so xen machine reply!.

If I try to DNAT  all the come from peth1 to the "external" gw
(192.168.1.254) I receive: "Performing cross-bridge DNAT requires IP
forwarding to be enabled" (but, of course, I have forwarding enable!)

I don't know how do for solve this... :(
Someone?

Thanks,
Michele

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>