Hi I have a fairly complex networking issue with xen, which I need to get runnning. My biggest problem obviously does not arise from xen directly, but more from linux networking, so I assume someone here might be able to help me. So, here we go: Given hardware: I have 1 server with 4 public IPs which need to have the same MAC. Say, $mac for $ip1, $ip2, $ip3, $ip4. All IPs have subnet /24, with $ip3 and $ip4 residing in the same subnet, and $ip1 and $ip2 in different subnets each. I use the default xen 3.0.1 setup, that creates a bridge, moves the real eth0 interface to that bridge and create a virtual eth0 in every client. Now I got the problem, that my provider only accepts ONE MAC. I solved this using ebtables: server02:~# ebtables -t nat -L Bridge table: nat Bridge chain: PREROUTING, entries: 6, policy: ACCEPT -p IPv4 -d $mac -i peth0 --ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 -p ARP -d $mac -i peth0 --arp-ip-dst $2 -j dnat --to-dst 0:16:3e:0:16:1 -p IPv4 -d $mac -i peth0 --ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 -p ARP -d $mac -i peth0 --arp-ip-dst $3 -j dnat --to-dst 0:16:3e:0:16:2 -p IPv4 -d $mac -i peth0 --ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 -p ARP -d $mac -i peth0 --arp-ip-dst $4 -j dnat --to-dst 0:16:3e:0:16:3 Bridge chain: OUTPUT, entries: 0, policy: ACCEPT Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT -p IPv4 -s 0:16:3e:0:16:1 -o peth0 --ip-src $2 -j snat --to-src $mac -p ARP -s 0:16:3e:0:16:1 -o peth0 --arp-ip-src $2 -j snat --to-src $mac -p IPv4 -s 0:16:3e:0:16:2 -o peth0 --ip-src $3 -j snat --to-src $mac -p ARP -s 0:16:3e:0:16:2 -o peth0 --arp-ip-src $3 -j snat --to-src $mac -p IPv4 -s 0:16:3e:0:16:3 -o peth0 --ip-src $4 -j snat --to-src $mac -p ARP -s 0:16:3e:0:16:3 -o peth0 --arp-ip-src $4 -j snat --to-src $mac This is basically SNAT at MAC-level for $ip2, $ip3 and $ip4. $ip1 is the ip of the host, which inherits it's mac from the real hardware, which already has $mac. That works. Everything until here is (except for MAC-NAT) xen-default. xen creates the xenbr0 bridge, moves eth0 there (renamed to peth0) and connects a virtual eth0 in dom0. Now I finally get to my problem. I need to create another bridge, that I connect some guests to and that have private IP addresses. Those should be NATed by the host. I tried: - iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o peth0 -s 192.168.1.0/24 -j SNAT --to-source $ip1 - iptables -t nat -A POSTROUTING -o peth0 -j MASQUERADE None of these work. I can ping the guests form the host, and connect between them, but not to the outside world. If the guest sends DNS-requests, they ARE translated to source=$ip1 and send out. The DNS-Server replies to $ip1, which I can see tcpdumping the real eth0. And those packets dest-mac is really $mac, which means they should be delivered to the host, which should do NAT and forward them to guest. However, that does not work. The DNS-response never reaches the host, they do not even apper on tcpdumping the virtual eth0, neighter correctly nor incorrectly. They simple don't. Can someone explain me, how I can get NAT working for one bridge, while it should not work for the other? (Please, as my mailing list subscription seems not to be completed yet, send answers as direct copy to me. Thanks.) Regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
