I followed the tutorial step by step on a box I just rented at an ISP. Everything went fine (including network connecticity) until I reached the last part with the virtual local network. The VMs can reach each others and reach the Internet form their 10.0.0.x network, But after putting in the NAT rules I still can't aceess any running service such as SSH from the Internet. Is there any step misssing in the tutorial or am I doing something wrong ? And there is a difference when I add the NAT rules. Without them I get immediately a connection refused error, with the NAT rules it just keeps hanging. For now, I went back to the bridged connection, but I relly hope to get the private local network running. thanks in advance for any advice
These were my NAT settings: more /etc/network/if-up.d/iptables: #!/bin/sh ### Port Forwarding ### iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.2:80 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6678 -j DNAT --to 10.0.0.1:22 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6679 -j DNAT --to 10.0.0.2:22
Did you Code: chmod 755 /etc/network/if-up.d/iptables (so that the file is executed at system startup)? Is eth0 your network device on dom0?
yes to both of your questions, see below. I still couldn't figure out why it doesen't work. Any ideas how to troubleshoot this problem ? debian:/home/saccon# ls -la /etc/network/if-up.d/iptables -rwxr-xr-x 1 root root 282 2006-04-13 17:28 /etc/network/if-up.d/iptables debian:/home/saccon# ifconfig eth0 Link encap:Ethernet HWaddr 00:16:35:78:EF:C0 inet addr:72.232.68.66 Bcast:72.255.255.255 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:915 errors:0 dropped:0 overruns:0 frame:0 TX packets:758 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:87754 (85.6 KiB) TX bytes:165024 (161.1 KiB) Interrupt:17 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35 errors:0 dropped:0 overruns:0 frame:0 TX packets:24 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2406 (2.3 KiB) TX bytes:1394 (1.3 KiB) vif6.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:5 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1570 (1.5 KiB) TX bytes:248 (248.0 b) regards Roberto
What happens if you execute /etc/network/if-up.d/iptables? Run Code: /etc/network/if-up.d/iptables on the shell as root. Please make sure that file has Unix linebreaks, not Windows linebreaks.
unfortunately nothing happens. And if I list all rules with iptables -L, I can't see them anywhere there.
need to correct myself, didn't specify NAT table, with "iptables -L -t nat" I see: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:www to:10.0.0.2:80 DNAT tcp -- anywhere anywhere tcp dpt:9641 to:10.0.0.1:22 DNAT tcp -- anywhere anywhere tcp dpt:9642 to:10.0.0.2:22 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Filter tables looks like: --------------------- Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif6.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Chain OUTPUT (policy ACCEPT) target prot opt source destination If I try to login in via ssh and sniff at the interface I get the following tcpdump: ---------------------------------------------------------------------------- debian:/etc/xen# tcpdump port 9641 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:19:33.294688 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: S 2159620162:2159620162(0) win 65535 <mss 1440 ,nop,nop,sackOK> 22:19:33.295608 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: S 1693666106:1693666106(0) ack 2159620163 win 5840 <mss 1460,nop,nop,sackOK> 22:19:33.504404 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535 22:19:33.505583 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:19:37.530007 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:19:41.779922 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 1607211346:1607211387(41) ack 1780605239 win 5840 22:19:43.529954 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:19:55.530022 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:20:19.530018 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:20:43.530011 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.nessus: P 1322618440:1322618481(41) ack 1471941687 win 5840 22:21:07.529963 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840 22:21:17.779923 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 0:41(41) ack 1 win 5840 ....... Now I have all the data but I still can't see what exactyl is wrong ..
yes, I can ping from one vm to the other and form the vm to the public IP on dom0 and from dom0 to the vm. It's really strange.
yes, I did several reboots and checked whether anything changed in regard to NAT, unfortunatley nothing changed.