View previous topic :: View next topic |
Author |
Message |
COiN3D Guru
Joined: 02 Aug 2004 Posts: 543 Location: Munich, Germany
|
Posted: Wed Jul 30, 2008 9:58 am Post subject: Strange XEN NAT problem |
|
|
Hello there,
I've got a problem regarding my XEN network setup. First of all, I'll just tell you what doesn't work: the access to a forwarded (natted) port (e.g. port 80 http) of a dom (no matter if dom0 or domU) to the servers external ip address (from "inside") does not work (connection refused). Here's the layout of my xen virtual network:
Code: |
one machine with an external ip
| |
| |
eth0 (85.214.xxx.xxx) xenbr0 (bridge 10.0.0.1)
| |
| |
webserver (10.0.0.2) mailserver (10.0.0.3)
|
So the server has one external ip and i want to use two domUs for web and mail behind - therefore I have to use masquerading. While building up this configuration, I was inspired by this tutorial: http://en.opensuse.org/Xen3_and_a_Virtual_Network
To come back to the problem - NAT (masquerading) and port forwarding just works fine. I can connect to the webserver by using http://85.214.xxx.xxx without any problems from HOME. But when I try to connect to http://85.214.xxx.xxx from INSIDE (e.g. from dom0 or the webserver, it doesnt matter), i cannot make a connection (lynx says connection refused). Also a port scan with nmap does not show me the open port 80 from inside (while from outside it does). I messed up with iptables all the time, since I could not figure out why this happens, so I decided just to create a very plain iptables configuration - here is my iptables output:
Code: | # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif1.0
ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:10.0.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
Has anyone had a similar problem and maybe solved it?
Thanks in advance _________________ e17 documentation | Be free and use Jabber as your IM! | Combine IRC and IM |
|
Back to top |
|
|
COiN3D Guru
Joined: 02 Aug 2004 Posts: 543 Location: Munich, Germany
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|