Hi Falko, First, I wanna thank you for the great tutorial. The only problem I got, is that port forwarding from dom0 to vm01 is not working. I installed apache on vm01 and I did port forward on dom0, but I still cannot access to vm01 from the outside. I found also that there is a problem with iptables on vm01. Could this be the problem to NAT not working? If yes, I've already read your answer on http://www.howtoforge.com/forums/showthread.php?t=4085, and I would like to know how can I make sure that iptables is correctly enabled for the domU kernel? Thanks Akil Mussá
What's the output of Code: ifconfig on vm01? This means that the domU kernel doesn't support iptables. Did you compile the domU kernel yourself, or did you install the pre-compiled Xen kernel? The latter one doesn't support iptables.
Hi, Code: vm01:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:16:3E:38:F6:5F inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:8 errors:0 dropped:0 overruns:0 frame:0 TX packets:9 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:906 (906.0 b) TX bytes:549 (549.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:280 (280.0 b) TX bytes:280 (280.0 b) vm01:~#
Did you change /etc/xen/xend-config.sxp as described on http://www.howtoforge.com/perfect_setup_xen3_debian_p6 ? What's the output of Code: cat /proc/sys/net/ipv4/ip_forward on dom0?
Hi Falko, Code: root@cust131-43:amussa# cat /proc/sys/net/ipv4/ip_forward 1 root@cust131-43:amussa# Yes, /etc/xen/xend-config.sxp is as you say on the tutorial Code: #(network-script network-bridge) #(vif-script vif-bridge) (network-script network-nat) (vif-script vif-nat)
Hi, Thanks for your patience. Here are my firewall rules: Code: root@cust131-43:amussa# iptables -L -nv Chain INPUT (policy ACCEPT 4589K packets, 1067M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 325 packets, 148K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67 0 0 ACCEPT all -- * * 10.0.0.2 0.0.0.0/0 PHYSDEV match --physdev-in vif6.0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif6.0 udp spt:68 dpt:67 Chain OUTPUT (policy ACCEPT 4404K packets, 932M bytes) pkts bytes target prot opt in out source destination root@cust131-43:amussa# root@cust131-43:amussa# iptables -L -t nat -nv Chain PREROUTING (policy ACCEPT 531 packets, 64813 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.0.0.1:8080 Chain POSTROUTING (policy ACCEPT 47026 packets, 2822K bytes) pkts bytes target prot opt in out source destination 4460 281K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 51475 packets, 3102K bytes) pkts bytes target prot opt in out source destination root@cust131-43:amussa#
I solved part of the problem. Now I can access the vm01 http page from the outside if I use the same port (80). Code: iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80 When I try to redirect from the outside port 8080 to the vm01 port:80 I don't have a conexion. Code: iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8080 -j DNAT --to 10.0.0.1:80 Is there any problem with DNAT?? I read the netfilters tutorial and they say it is possible. Thanks for any help.