Re: [Fwbuilder-discussion] maybe local NAT problems due Xen related Network
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] maybe local NAT problems due Xen related Network
|
From: <va...@vk...> - 2008-01-17 19:33:11
|
On Jan 16, 2008, at 7:32 AM, Denny Schierz wrote: > hi, > > i've running a single host with several IPs and some Xen guests. > > Let me explain it on a an example: We have a guest for the mails =20 > Server > on port 25, 110 etc. The server has the IP =BB192.168.2.20=AB inside. = The > forwarding rule from the pyhsical machine transmits every packet from > the external IP =BB172.0.26.5=AB to the internal =BB192.168.2.20=AB. > > The SNAT rule changes the 192.168.2.20 to 172.0.26.5. Until here, it > works perfect. =46rom the outside, the mailexchanger works. > that should be DNAT rule > But, if you make a connection inside the mailserver, to himself, than > nothing happens. > what address does mx.domain.foo resolve to? Is it internal or =20 external address ? It sounds like you are trying to connect to the external address =20 (e.g. 172.0.26.5 ) from inside of your network (one of the machines =20 on 192.168.2 ) This situation and a workaround are described in the Users Guide, =20 chapter 10 "Examples of Network Address Translation Rules, =20 "Destination NAT onto the same network" > mx~# telnet mx.domain.foo 25 ..... > timeout > > The same, from the Webserver to mx: > > web~# telnet mx.domain.foo 25 ..... > "Hello and welcome to =20 > Mailserver" > > but: > > web~# telnet web.domain.foo 80 .....> timeout > > Some logs, from mx to web: > > Web has 192.168.1.11 > MX has 192.168.1.12 > > --- > > Jan 16 16:24:40 henrietta kernel: RULE 2 -- ACCEPT IN=3Dxenintbr > OUT=3Dxenintbr PHYSIN=3Dangelica.1 PHYSOUT=3Dtriela.1 SRC=3D192.168.1.12= > DST=3D192.168.1.11 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D27669 = DF =20 > PROTO=3DTCP > SPT=3D45192 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 > > Jan 16 16:24:40 henrietta kernel: RULE 2 -- ACCEPT IN=3Dxenintbr > OUT=3Dxenintbr PHYSIN=3Dangelica.1 PHYSOUT=3Dtriela.1 SRC=3D192.168.1.12= > DST=3D192.168.1.11 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D39596 = DF =20 > PROTO=3DTCP > SPT=3D45193 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 > > Jan 16 16:24:40 henrietta kernel: RULE 2 -- ACCEPT IN=3Dxenintbr > OUT=3Dxenintbr PHYSIN=3Dangelica.1 PHYSOUT=3Dtriela.1 SRC=3D192.168.1.12= > DST=3D192.168.1.11 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D11315 = DF =20 > PROTO=3DTCP > SPT=3D45194 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 > > and now, Web to web: > > > Jan 16 16:28:18 henrietta kernel: RULE 2 -- ACCEPT IN=3Dxenintbr > OUT=3Dxenintbr PHYSIN=3Dtriela.1 PHYSOUT=3Dtriela.1 SRC=3D192.168.1.11 > DST=3D192.168.1.11 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D14937 = DF =20 > PROTO=3DTCP > SPT=3D60036 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 > > > Rule 2 NAT: > > # Rule 2 (NAT) > # > # SNAT fuer Triela > -A POSTROUTING -o eth0 -s 192.168.1.11 -j SNAT --to-source =20 > 78.47.171.131 > this rule is for outbound translation from the web server, it will =20 translate source address but will not translate destination address. =20= This rule should have no relation to the problem you describe. --vk |