The Perfect Xen 3.0 Setup For Debian - virtual network problem

Discussion in 'HOWTO-Related Questions' started by rsacon, Apr 14, 2006.

  1. rsacon

    rsacon New Member

    I followed the tutorial step by step on a box I just rented at an ISP. Everything went fine (including network connecticity) until I reached the last part with the virtual local network.

    The VMs can reach each others and reach the Internet form their 10.0.0.x network, But after putting in the NAT rules I still can't aceess any running service such as SSH from the Internet. Is there any step misssing in the tutorial or am I doing something wrong ? And there is a difference when I add the NAT rules. Without them I get immediately a connection refused error, with the NAT rules it just keeps hanging.

    For now, I went back to the bridged connection, but I relly hope to get the private local network running.

    thanks in advance for any advice
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Can you post the NAT rules you're using?
     
  3. rsacon

    rsacon New Member

    These were my NAT settings:


    more /etc/network/if-up.d/iptables:

    #!/bin/sh

    ### Port Forwarding ###
    iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.2:80
    iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6678 -j DNAT --to 10.0.0.1:22
    iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6679 -j DNAT --to 10.0.0.2:22
     
  4. falko

    falko Super Moderator Howtoforge Staff

    Did you
    Code:
    chmod 755 /etc/network/if-up.d/iptables
    (so that the file is executed at system startup)? Is eth0 your network device on dom0?
     
  5. rsacon

    rsacon New Member

    yes to both of your questions, see below. I still couldn't figure out why it doesen't work. Any ideas how to troubleshoot this problem ?

    debian:/home/saccon# ls -la /etc/network/if-up.d/iptables
    -rwxr-xr-x 1 root root 282 2006-04-13 17:28 /etc/network/if-up.d/iptables

    debian:/home/saccon# ifconfig
    eth0 Link encap:Ethernet HWaddr 00:16:35:78:EF:C0
    inet addr:72.232.68.66 Bcast:72.255.255.255 Mask:255.255.255.248
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:915 errors:0 dropped:0 overruns:0 frame:0
    TX packets:758 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:87754 (85.6 KiB) TX bytes:165024 (161.1 KiB)
    Interrupt:17

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
    inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:35 errors:0 dropped:0 overruns:0 frame:0
    TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2406 (2.3 KiB) TX bytes:1394 (1.3 KiB)

    vif6.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
    inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:22 errors:0 dropped:0 overruns:0 frame:0
    TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1570 (1.5 KiB) TX bytes:248 (248.0 b)


    regards
    Roberto
     
  6. falko

    falko Super Moderator Howtoforge Staff

    What happens if you execute /etc/network/if-up.d/iptables? Run
    Code:
    /etc/network/if-up.d/iptables
    on the shell as root.

    Please make sure that file has Unix linebreaks, not Windows linebreaks.
     
  7. rsacon

    rsacon New Member

    unfortunately nothing happens. And if I list all rules with iptables -L, I can't see them anywhere there.
     
  8. rsacon

    rsacon New Member

    need to correct myself, didn't specify NAT table, with "iptables -L -t nat" I see:

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT tcp -- anywhere anywhere tcp dpt:www to:10.0.0.2:80
    DNAT tcp -- anywhere anywhere tcp dpt:9641 to:10.0.0.1:22
    DNAT tcp -- anywhere anywhere tcp dpt:9642 to:10.0.0.2:22


    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    MASQUERADE all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination





    Filter tables looks like:
    ---------------------

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0
    ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps
    ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif6.0
    ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps
    ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif7.0
    ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps
    ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0
    ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination



    If I try to login in via ssh and sniff at the interface I get the following tcpdump:
    ----------------------------------------------------------------------------
    debian:/etc/xen# tcpdump port 9641
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    22:19:33.294688 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: S 2159620162:2159620162(0) win 65535 <mss 1440 ,nop,nop,sackOK>
    22:19:33.295608 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: S 1693666106:1693666106(0) ack 2159620163 win 5840 <mss 1460,nop,nop,sackOK>
    22:19:33.504404 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535
    22:19:33.505583 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:19:37.530007 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:19:41.779922 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 1607211346:1607211387(41) ack 1780605239 win 5840
    22:19:43.529954 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:19:55.530022 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:20:19.530018 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:20:43.530011 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.nessus: P 1322618440:1322618481(41) ack 1471941687 win 5840
    22:21:07.529963 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
    22:21:17.779923 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 0:41(41) ack 1 win 5840
    .......



    Now I have all the data but I still can't see what exactyl is wrong ..
     
    Last edited: Apr 21, 2006
  9. falko

    falko Super Moderator Howtoforge Staff

    Can you ping 10.0.0.2 from 10.0.0.1 and vice versa? Can you ping dom0 from a domU and vice versa?
     
  10. rsacon

    rsacon New Member

    yes, I can ping from one vm to the other and form the vm to the public IP on dom0 and from dom0 to the vm.

    It's really strange.
     
  11. falko

    falko Super Moderator Howtoforge Staff

    Did you reboot the server?
     
  12. rsacon

    rsacon New Member

    yes, I did several reboots and checked whether anything changed in regard to NAT, unfortunatley nothing changed.
     

Share This Page