Hi Falko,

First, I wanna thank you for the great tutorial.

The only problem I got, is that port forwarding from dom0 to vm01 is not working.

I installed apache on vm01 and I did port forward on dom0, but I still cannot access to vm01 from the outside.

iptables -A PREROUTING -t nat -p tcp --dport 8080 -j DNAT --to 10.0.0.1:8080

I found also that there is a problem with iptables on vm01. Could this be the problem to NAT not working? If yes, I've already read your answer on http://www.howtoforge.com/forums/showthread.php?t=4085, and I would like to know how can I make sure that iptables is correctly enabled for the domU kernel?

vm01:~# iptables -L
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Thanks
Akil Mussá

The only problem I got, is that port forwarding from dom0 to vm01 is not working.

I installed apache on vm01 and I did port forward on dom0, but I still cannot access to vm01 from the outside.What's the output of ifconfig on vm01?


I found also that there is a problem with iptables on vm01. Could this be the problem to NAT not working? If yes, I've already read your answer on http://www.howtoforge.com/forums/showthread.php?t=4085, and I would like to know how can I make sure that iptables is correctly enabled for the domU kernel?

This means that the domU kernel doesn't support iptables. Did you compile the domU kernel yourself, or did you install the pre-compiled Xen kernel? The latter one doesn't support iptables.

Hi,

vm01:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:38:F6:5F
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:906 (906.0 b) TX bytes:549 (549.0 b)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:280 (280.0 b) TX bytes:280 (280.0 b)

vm01:~#

Did you change /etc/xen/xend-config.sxp as described on http://www.howtoforge.com/perfect_setup_xen3_debian_p6 ?

What's the output of cat /proc/sys/net/ipv4/ip_forward on dom0?

Hi Falko,

root@cust131-43:amussa# cat /proc/sys/net/ipv4/ip_forward
1
root@cust131-43:amussa#


Yes, /etc/xen/xend-config.sxp is as you say on the tutorial

#(network-script network-bridge)
#(vif-script vif-bridge)

(network-script network-nat)
(vif-script vif-nat)

Looks ok. Was there any firewall running on dom0 when you inserted the iptables forward rules?

Hi,
Thanks for your patience. Here are my firewall rules:

root@cust131-43:amussa# iptables -L -nv
Chain INPUT (policy ACCEPT 4589K packets, 1067M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 325 packets, 148K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 10.0.0.1 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67
0 0 ACCEPT all -- * * 10.0.0.2 0.0.0.0/0 PHYSDEV match --physdev-in vif6.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif6.0 udp spt:68 dpt:67

Chain OUTPUT (policy ACCEPT 4404K packets, 932M bytes)
pkts bytes target prot opt in out source destination
root@cust131-43:amussa#
root@cust131-43:amussa# iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 531 packets, 64813 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.0.0.1:8080

Chain POSTROUTING (policy ACCEPT 47026 packets, 2822K bytes)
pkts bytes target prot opt in out source destination
4460 281K MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 51475 packets, 3102K bytes)
pkts bytes target prot opt in out source destination
root@cust131-43:amussa#

Please start dom0 without any firewall rules and then add your forwarding rules and test again.

I solved part of the problem.

Now I can access the vm01 http page from the outside if I use the same port (80).

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80


When I try to redirect from the outside port 8080 to the vm01 port:80 I don't have a conexion.


iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8080 -j DNAT --to 10.0.0.1:80



Is there any problem with DNAT?? I read the netfilters tutorial and they say it is possible.

Thanks for any help.

Did you restart the system? Maybe your old firewall rule is conflicting with your new one.