HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   HOWTO-Related Questions (http://www.howtoforge.com/forums/forumdisplay.php?f=2)
-   -   The Perfect Xen 3.0 Setup For Debian - virtual network problem (http://www.howtoforge.com/forums/showthread.php?t=3713)

rsacon 14th April 2006 15:39

The Perfect Xen 3.0 Setup For Debian - virtual network problem
 
I followed the tutorial step by step on a box I just rented at an ISP. Everything went fine (including network connecticity) until I reached the last part with the virtual local network.

The VMs can reach each others and reach the Internet form their 10.0.0.x network, But after putting in the NAT rules I still can't aceess any running service such as SSH from the Internet. Is there any step misssing in the tutorial or am I doing something wrong ? And there is a difference when I add the NAT rules. Without them I get immediately a connection refused error, with the NAT rules it just keeps hanging.

For now, I went back to the bridged connection, but I relly hope to get the private local network running.

thanks in advance for any advice

falko 15th April 2006 15:21

Can you post the NAT rules you're using?

rsacon 15th April 2006 22:44

These were my NAT settings:


more /etc/network/if-up.d/iptables:

#!/bin/sh

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6678 -j DNAT --to 10.0.0.1:22
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6679 -j DNAT --to 10.0.0.2:22

falko 16th April 2006 14:54

Did you
Code:

chmod 755 /etc/network/if-up.d/iptables
(so that the file is executed at system startup)? Is eth0 your network device on dom0?

rsacon 17th April 2006 22:25

yes to both of your questions, see below. I still couldn't figure out why it doesen't work. Any ideas how to troubleshoot this problem ?

debian:/home/saccon# ls -la /etc/network/if-up.d/iptables
-rwxr-xr-x 1 root root 282 2006-04-13 17:28 /etc/network/if-up.d/iptables

debian:/home/saccon# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:35:78:EF:C0
inet addr:72.232.68.66 Bcast:72.255.255.255 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:915 errors:0 dropped:0 overruns:0 frame:0
TX packets:758 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87754 (85.6 KiB) TX bytes:165024 (161.1 KiB)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2406 (2.3 KiB) TX bytes:1394 (1.3 KiB)

vif6.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1570 (1.5 KiB) TX bytes:248 (248.0 b)


regards
Roberto

falko 18th April 2006 11:22

What happens if you execute /etc/network/if-up.d/iptables? Run
Code:

/etc/network/if-up.d/iptables
on the shell as root.

Please make sure that file has Unix linebreaks, not Windows linebreaks.

rsacon 21st April 2006 07:57

unfortunately nothing happens. And if I list all rules with iptables -L, I can't see them anywhere there.

rsacon 21st April 2006 08:03

need to correct myself, didn't specify NAT table, with "iptables -L -t nat" I see:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:10.0.0.2:80
DNAT tcp -- anywhere anywhere tcp dpt:9641 to:10.0.0.1:22
DNAT tcp -- anywhere anywhere tcp dpt:9642 to:10.0.0.2:22


Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





Filter tables looks like:
---------------------

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif6.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif7.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



If I try to login in via ssh and sniff at the interface I get the following tcpdump:
----------------------------------------------------------------------------
debian:/etc/xen# tcpdump port 9641
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:19:33.294688 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: S 2159620162:2159620162(0) win 65535 <mss 1440 ,nop,nop,sackOK>
22:19:33.295608 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: S 1693666106:1693666106(0) ack 2159620163 win 5840 <mss 1460,nop,nop,sackOK>
22:19:33.504404 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535
22:19:33.505583 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:37.530007 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:41.779922 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 1607211346:1607211387(41) ack 1780605239 win 5840
22:19:43.529954 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:55.530022 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:19.530018 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:43.530011 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.nessus: P 1322618440:1322618481(41) ack 1471941687 win 5840
22:21:07.529963 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:21:17.779923 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 0:41(41) ack 1 win 5840
.......



Now I have all the data but I still can't see what exactyl is wrong ..

falko 21st April 2006 11:31

Can you ping 10.0.0.2 from 10.0.0.1 and vice versa? Can you ping dom0 from a domU and vice versa?

rsacon 21st April 2006 13:26

yes, I can ping from one vm to the other and form the vm to the public IP on dom0 and from dom0 to the vm.

It's really strange.


All times are GMT +2. The time now is 12:40.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.