LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] LVS + Xen + NAT

from [Josh Mullis] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] LVS + Xen + NAT
From: Josh Mullis <josh.mullis@xxxxxxx>
Date: Wed, 17 Sep 2008 14:08:21 -0400 
Here is my output from iptables-save:

*nat
:PREROUTING ACCEPT [27179:4272858]
:POSTROUTING ACCEPT [16:1385]
:OUTPUT ACCEPT [1108:71364]
-A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Wed Sep 17 10:06:31 2008
# Generated by iptables-save v1.3.5 on Wed Sep 17 10:06:31 2008
*filter
:INPUT ACCEPT [62014:18360950]
:FORWARD ACCEPT [17874:8946362]
:OUTPUT ACCEPT [13921:2216511]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 
-A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT 
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT 
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -s 192.168.122.10 -m physdev  --physdev-in vif2.0 -j ACCEPT 
-A FORWARD -p udp -m physdev  --physdev-in vif2.0 -m udp --sport 68
--dport 67 -j ACCEPT 
COMMIT



On Wed, 2008-09-17 at 13:29 -0400, David Dyer-Bennet wrote:
> 
> On Wed, September 17, 2008 12:22, Josh Mullis wrote:
> > I actually expected to see some different rules than what I have.
> > Not sure what I need to add.
> >
> > Here are my current tables.
> > (Spaces replaced with -'s for formatting)
> >
> > iptables -L
> 
> Try iptables-save to see *all* the tables (in an incompatible format).
> 
> I'm still struggling with my own setup (with similar goals and
> constraints, xen + lvs NAT), but once I got packets directed in, they
> came
> back out okay.
> 
> The default route on each of the realserver "systems" (quotes to
> remind us
> that they may be xen guests not physical systems) needs to be set to
> the
> private net virtual IP of the LVS system -- I've deleted enough
> reading up
> to here that I can't now go back and check if you have that set right.
> 
> And the LVS NAT works *only* for packets routed in by the LVS; the
> realservers can't initiate outgoing connections beyond the private LAN
> (unless you turn on ordinary NAT on the LVS, which is not the same
> thing
> as LVS NAT).
> 
> --
> David Dyer-Bennet, dd-b@xxxxxxxx; http://dd-b.net/
> Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
> Photos: http://dd-b.net/photography/gallery/
> Dragaera: http://dragaera.info
> 
> 
> _______________________________________________
> LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://lists.graemef.net/mailman/listinfo/lvs-users
> 
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [lvs-users] ldirecctord problem on slave node (Malcolm Turnbull), Tears !
Next by Date:  Re: [lvs-users] LVS + Xen + NAT, David Dyer-Bennet
Previous by Thread:  Re: [lvs-users] LVS + Xen + NAT, Josh Mullis
Next by Thread:  Re: [lvs-users] LVS + Xen + NAT, David Dyer-Bennet
Indexes:  [Date] [Thread] [Top] [All Lists]