WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] combination of bridged and routed networking problem

To: "DBadmin Rottmann" <dba_db2@xxxxxxx>
Subject: Re: [Xen-users] combination of bridged and routed networking problem
From: b52@xxxxxxxxx
Date: Tue, 4 Mar 2008 11:37:28 +0100 (CET)
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 04 Mar 2008 02:37:59 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
Importance: Normal
In-reply-to: <20080303133727.69070@xxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20080303133727.69070@xxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.9a
> Hi,
>
> I have strange challenge regarding routing/networking on a xen host
> (called tachyon).
> We have setup the host using ubuntu 7.10 (gutsy), because this
> is Debian-based and has xen3.1 included.
>
> The vms should use either bridged network or routed network.
> Therefore, we used
> (network-script network-bridge)
> (vif-script vif-bridge)
> in xend-config.sxp.
>
> Two vms (called etch32 and etch64) are connected with vif2.0 and vif3.0
> to xenbr0. They have got IP addresses via DHCP and ip works
> well to and from these vms.
>
> The third vm (called lenny32) should be connected using a routed config.
> Therefore, we have deleted vif4.0 from the bridge and activated
> ARP, NAT, ... using the following commands on Dom0 (tachyon):
>
> ip link set vif4.0 arp on
> ip link set vif4.0 multicast on
> ip addr flush vif4.0
> ip link set vif4.0 addr 00:1E:0B:70:F6:9a
> ifconfig vif4.0 192.168.0.1
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t nat -A PREROUTING -i xenbr0 -p tcp -m tcp --dport 222 -j DNAT
> --to-destination 192.168.0.2:22
> iptables -t nat -A PREROUTING -i xenbr0 -p tcp -m tcp --dport 443 -j DNAT
> --to-destination 192.168.0.2:443
>
> echo 1 >  /proc/sys/net/ipv4/ip_forward
>
> On lenny32, we have set the IP of eth0 to 192.168.0.2 statically.
>
> IP connections initiated from lenny32 work well but inbound connections
> from other hosts trying to connect to either port 222 or 443 on tachyon do
> not. These connections should be directed via DNAT to lenny32. The TCP/IP
> handshake works but the connection could not be established.
> A TCP-Reset was send by the client.
>
> Output of "tcpdump -i eth0 -s 0" at lenny32:
> 13:19:14.196801 arp who-has lenny32 tell 192.168.0.1
> 13:19:14.196827 arp reply lenny32 is-at 00:16:3e:54:f1:11 (oui Unknown)
> 13:19:14.196859 IP pc63002738.1054 > lenny32.ssh: S
> 1817694704:1817694704(0) win 65535 <mss 1460,nop,nop,sackOK>
> 13:19:14.196890 IP lenny32.ssh > pc63002738.wl.1054: S
> 1304397835:1304397835(0) ack 1817694705 win 5840 <mss 1460,nop,nop,sackOK>
> 13:19:14.197074 IP pc63002738.1054 > lenny32.ssh: . ack 1 win 65535
> 13:19:14.203841 IP lenny32.ssh > pc63002738.wl.1054: P 1:32(31) ack 1 win
> 5840 (SSH: Server Protocol: SSH-2.0-OpenSSH_4.7p1 Debian-2)
> 13:19:14.204048 IP pc63002738.1054 > lenny32.ssh: R
> 1817694705:1817694705(0) win 0 (Cients sends RESET !!???)
>
> A direct ssh connection from tachyon to lenny32 works!
> At lenny32 neither /etc/hosts.allow nor /etc/hosts.deny contains any
> entries.
>
> A similiar behaviour could be observed when connecting to 443 on tachyon.
> The command "iptables -Lvn" in the nat table shows that the DNAT rules
> match, the policy of all
> chains in the filter table is ACCEPT)
>
> Any help is appreciated !!
>
> Thanks in advance,
>
>  Valentin Rottmann
>
> ------------------------------------------------
> # etch64: fake eth0 -> vif2.0 -+
> #                              |
> # etch32: fake eth0 -> vif3.0 -+
> #                              |
> #                           xenbr0 -> peth0 -> the network
> #                              |
> #tachyon: fake eth0 -> vif0.0 -+
> #               |
> #  (routing, MASQUERADING, DNAT)
> #               |
> #           vif4.0  <-> fake eth0 (lenny32)
>
>
> root@tachyon:~# uname -a
> Linux tachyon 2.6.22-14-xen #1 SMP Tue Feb 12 04:26:15 UTC 2008 x86_64
> GNU/Linux
>
> root@tachyon:~# dpkg -l | grep xen
> ii  libxen3.1                                  3.1.0-0ubuntu18
> library interface for Xen, a Virtual Machine
> ii  linux-headers-2.6.22-14-xen                2.6.22-14.52
> Linux kernel headers for version 2.6.22 on T
> ii  linux-image-2.6.22-14-xen                  2.6.22-14.52
> Linux kernel image for version 2.6.22 on Thi
> ii  linux-image-xen                            2.6.22.14.21
> Linux kernel image on Xen
> ii  linux-restricted-modules-2.6.22-14-xen     2.6.22.4-14.10
> Non-free Linux 2.6.22 modules on Xen
> ii  linux-restricted-modules-xen               2.6.22.14.21
> Restricted Linux modules on Xen
> ii  linux-ubuntu-modules-2.6.22-14-xen         2.6.22-14.37
> Ubuntu supplied Linux modules for version 2.
> ii  linux-xen                                  2.6.22.14.21
> Complete Linux kernel on Xen
> ii  python-xen-3.1                             3.1.0-0ubuntu18
> python bindings for Xen, a Virtual Machine M
> ii  xen-hypervisor-3.1                         3.1.0-0ubuntu18         The
> Xen Hypervisor for i386, amd64 amd lpia
> ii  xen-ioemu-3.1                              3.1.0-0ubuntu18         XEN
> administrative tools
> ii  xen-utils-3.1                              3.1.0-0ubuntu18         XEN
> administrative tools
>
> root@tachyon:~# ip route show
> 192.168.0.0/24 dev vif4.0  proto kernel  scope link  src 192.168.0.1
> 10.35.18.0/24 dev eth0  proto kernel  scope link  src 10.35.18.38
> default via 10.32.18.1 dev eth0  metric 100
>
> root@tachyon:~# brctl show
> bridge name     bridge id               STP enabled     interfaces
> xenbr0          8000.feffffffffff       no              vif0.0
>                                                         peth0
>                                                         vif2.0
>                                                         vif3.0
> root@tachyon:~# iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 1595 packets, 112K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  1112 75928 LOG        0    --  *      *       0.0.0.0/0
> 0.0.0.0/0           LOG flags 0 level 4
>    15   860 DNAT       tcp  --  xenbr0 *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:222 to:192.168.0.2:22
>    32  1536 DNAT       tcp  --  xenbr0 *       0.0.0.0/0
> 0.0.0.0/0           tcp dpt:443 to:192.168.0.2:443
>
> Chain POSTROUTING (policy ACCEPT 6785 packets, 418K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  1058 75471 MASQUERADE  0    --  *      eth0    0.0.0.0/0
> 0.0.0.0/0

Well, actually I don't see the reason but your NAT is quite strange!?
Shouldn't you only DNAT for eth0 port 222?
like: iptables -A PREROUTING -i eth0 -p tcp --dport 222 -j DNAT
--to-destination 192.168.0.2:22
Don't do this at the bridge and I think you don't need masquerade either.

Regards,
Holger

> Chain OUTPUT (policy ACCEPT 5342 packets, 313K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> root@tachyon:~# iptables  -L -v -n
> Chain INPUT (policy ACCEPT 97072 packets, 7289K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain FORWARD (policy ACCEPT 1649K packets, 100M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     0    --  *      *       0.0.0.0/0
> 0.0.0.0/0           PHYSDEV match --physdev-in vif2.0
>     7  1489 ACCEPT     0    --  *      *       0.0.0.0/0
> 0.0.0.0/0           PHYSDEV match --physdev-in vif3.0
>    90  6972 ACCEPT     0    --  *      *       192.168.0.2
> 0.0.0.0/0           PHYSDEV match --physdev-in vif4.0
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           PHYSDEV match --physdev-in vif4.0 udp spt:68
> dpt:67
>
> Chain OUTPUT (policy ACCEPT 81259 packets, 21M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
>
>
> --
> GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
> Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>