Navigation

amussa · #1 18th August 2006, 03:23

Hi Falko,

First, I wanna thank you for the great tutorial.

The only problem I got, is that port forwarding from dom0 to vm01 is not working.

I installed apache on vm01 and I did port forward on dom0, but I still cannot access to vm01 from the outside.

Quote:

iptables -A PREROUTING -t nat -p tcp --dport 8080 -j DNAT --to 10.0.0.1:8080

I found also that there is a problem with iptables on vm01. Could this be the problem to NAT not working? If yes, I've already read your answer on http://www.howtoforge.com/forums/showthread.php?t=4085, and I would like to know how can I make sure that iptables is correctly enabled for the domU kernel?

Quote:

vm01:~# iptables -L
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Thanks
Akil Mussá

falko · #2 19th August 2006, 13:13

Quote:

Originally Posted by amussa

The only problem I got, is that port forwarding from dom0 to vm01 is not working.

I installed apache on vm01 and I did port forward on dom0, but I still cannot access to vm01 from the outside.

What's the output of

Code:

ifconfig

on vm01?

Quote:

Originally Posted by amussa

I found also that there is a problem with iptables on vm01. Could this be the problem to NAT not working? If yes, I've already read your answer on http://www.howtoforge.com/forums/showthread.php?t=4085, and I would like to know how can I make sure that iptables is correctly enabled for the domU kernel?

This means that the domU kernel doesn't support iptables. Did you compile the domU kernel yourself, or did you install the pre-compiled Xen kernel? The latter one doesn't support iptables.

amussa · #3 19th August 2006, 13:53

Hi,

Code:

vm01:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3E:38:F6:5F
          inet addr:10.0.0.1  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:906 (906.0 b)  TX bytes:549 (549.0 b)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:280 (280.0 b)  TX bytes:280 (280.0 b)

vm01:~#

falko · #4 20th August 2006, 17:52

Did you change /etc/xen/xend-config.sxp as described on http://www.howtoforge.com/perfect_setup_xen3_debian_p6 ?

What's the output of

Code:

cat /proc/sys/net/ipv4/ip_forward

on dom0?

amussa · #5 21st August 2006, 13:26

Hi Falko,

Code:

root@cust131-43:amussa# cat /proc/sys/net/ipv4/ip_forward
1
root@cust131-43:amussa#

Yes, /etc/xen/xend-config.sxp is as you say on the tutorial

Code:

#(network-script network-bridge)
#(vif-script vif-bridge)

(network-script network-nat)
(vif-script     vif-nat)

falko · #6 22nd August 2006, 13:25

Looks ok. Was there any firewall running on dom0 when you inserted the iptables forward rules?

amussa · #7 22nd August 2006, 13:44

Hi,
Thanks for your patience. Here are my firewall rules:

Code:

root@cust131-43:amussa# iptables -L -nv
Chain INPUT (policy ACCEPT 4589K packets, 1067M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 325 packets, 148K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       10.0.0.1             0.0.0.0/0           PHYSDEV match --physdev-in vif5.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vif5.0 udp spt:68 dpt:67
    0     0 ACCEPT     all  --  *      *       10.0.0.2             0.0.0.0/0           PHYSDEV match --physdev-in vif6.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vif6.0 udp spt:68 dpt:67

Chain OUTPUT (policy ACCEPT 4404K packets, 932M bytes)
 pkts bytes target     prot opt in     out     source               destination
root@cust131-43:amussa#
root@cust131-43:amussa# iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 531 packets, 64813 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:10.0.0.1:8080

Chain POSTROUTING (policy ACCEPT 47026 packets, 2822K bytes)
 pkts bytes target     prot opt in     out     source               destination
 4460  281K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 51475 packets, 3102K bytes)
 pkts bytes target     prot opt in     out     source               destination
root@cust131-43:amussa#

falko · #8 23rd August 2006, 15:08

Please start dom0 without any firewall rules and then add your forwarding rules and test again.

amussa · #9 27th September 2006, 20:38

I solved part of the problem.

Now I can access the vm01 http page from the outside if I use the same port (80).

Code:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.1:80

When I try to redirect from the outside port 8080 to the vm01 port:80 I don't have a conexion.

Code:

 iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 8080 -j DNAT --to 10.0.0.1:80

Is there any problem with DNAT?? I read the netfilters tutorial and they say it is possible.

Thanks for any help.

falko · #10 28th September 2006, 21:27

Did you restart the system? Maybe your old firewall rule is conflicting with your new one.

Navigation

Facebook

News

Recent comments

Newsletter