Navigation

rsacon · #1 14th April 2006, 15:39

I followed the tutorial step by step on a box I just rented at an ISP. Everything went fine (including network connecticity) until I reached the last part with the virtual local network.

The VMs can reach each others and reach the Internet form their 10.0.0.x network, But after putting in the NAT rules I still can't aceess any running service such as SSH from the Internet. Is there any step misssing in the tutorial or am I doing something wrong ? And there is a difference when I add the NAT rules. Without them I get immediately a connection refused error, with the NAT rules it just keeps hanging.

For now, I went back to the bridged connection, but I relly hope to get the private local network running.

thanks in advance for any advice

falko · #2 15th April 2006, 15:21

Can you post the NAT rules you're using?

rsacon · #3 15th April 2006, 22:44

These were my NAT settings:

more /etc/network/if-up.d/iptables:

#!/bin/sh

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6678 -j DNAT --to 10.0.0.1:22
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 6679 -j DNAT --to 10.0.0.2:22

falko · #4 16th April 2006, 14:54

Did you

Code:

chmod 755 /etc/network/if-up.d/iptables

(so that the file is executed at system startup)? Is eth0 your network device on dom0?

rsacon · #5 17th April 2006, 22:25

yes to both of your questions, see below. I still couldn't figure out why it doesen't work. Any ideas how to troubleshoot this problem ?

debian:/home/saccon# ls -la /etc/network/if-up.d/iptables
-rwxr-xr-x 1 root root 282 2006-04-13 17:28 /etc/network/if-up.d/iptables

debian:/home/saccon# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:35:78:EF:C0
inet addr:72.232.68.66 Bcast:72.255.255.255 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:915 errors:0 dropped:0 overruns:0 frame:0
TX packets:758 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87754 (85.6 KiB) TX bytes:165024 (161.1 KiB)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.128 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2406 (2.3 KiB) TX bytes:1394 (1.3 KiB)

vif6.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:10.0.0.129 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1570 (1.5 KiB) TX bytes:248 (248.0 b)

regards
Roberto

falko · #6 18th April 2006, 11:22

What happens if you execute /etc/network/if-up.d/iptables? Run

Code:

/etc/network/if-up.d/iptables

on the shell as root.

Please make sure that file has Unix linebreaks, not Windows linebreaks.

rsacon · #7 21st April 2006, 07:57

unfortunately nothing happens. And if I list all rules with iptables -L, I can't see them anywhere there.

rsacon · #8 21st April 2006, 08:03

need to correct myself, didn't specify NAT table, with "iptables -L -t nat" I see:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:10.0.0.2:80
DNAT tcp -- anywhere anywhere tcp dpt:9641 to:10.0.0.1:22
DNAT tcp -- anywhere anywhere tcp dpt:9642 to:10.0.0.2:22

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Filter tables looks like:
---------------------

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif6.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif7.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

If I try to login in via ssh and sniff at the interface I get the following tcpdump:
----------------------------------------------------------------------------
debian:/etc/xen# tcpdump port 9641
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:19:33.294688 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: S 2159620162:2159620162(0) win 65535 <mss 1440 ,nop,nop,sackOK>
22:19:33.295608 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: S 1693666106:1693666106(0) ack 2159620163 win 5840 <mss 1460,nop,nop,sackOK>
22:19:33.504404 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535
22:19:33.505583 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:37.530007 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:41.779922 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 1607211346:1607211387(41) ack 1780605239 win 5840
22:19:43.529954 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:55.530022 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:19.530018 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:43.530011 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.nessus: P 1322618440:1322618481(41) ack 1471941687 win 5840
22:21:07.529963 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:21:17.779923 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 0:41(41) ack 1 win 5840
.......

Now I have all the data but I still can't see what exactyl is wrong ..