iptables / NAT in Xen

In following these instructions to get Xen setup with a NAT configuration for guests, I encountered the classic error:

# iptables -L
FATAL: Module ip_tables not found.
iptables v1.3.6: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I can never remember what kernel options are necessary for NAT. They’re described in a post to xen-users here:

cd xen-unstable.hg
make linux-2.6-xen0-config
Networking —> Networking options —> Network packet filtering
(replaces ipchains) —> Core Netfilter Configuration —> Netfilter
Xtables support (required for ip_tables) and do enable all modules
included in that as per your need.
Then go to – Networking —> Networking options —> Network packet
filtering (replaces ipchains) —> IP: Netfilter Configuration —>
IP tables support (required for filtering/masq/NAT)

You can only go to the second step after doing the first one.

make linux-2.6-xen0-build
make linux-2.6-xen0-install

The Perfect Xen Setup for Debian and Ubuntu has a nice explanation of how to setup iptables and port forwarding.

/etc/network/if-up.d/iptables:

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.3.2:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 192.168.3.3:25
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j DNAT --to 192.168.3.3:110

You must also `chmod 755 /etc/network/if-up.d/iptables`.

XMLHttpRequest stops working

XMLHttpRequest is the heart of what makes AJAX work. However, when trying to use it in strange ways as part of a Firefox extension, I’ve found that it doesn’t always work as expected. For example, if sending data from different parts of a JavaScript application, I observe that the first few connections are established and the messages go through, and then the remaining messages never appear on the wire unless I kill Firefox. It seems that most browsers enforce a limit on the number of concurrent XMLHttpRequests. Thus, it is important to close the requests that are no longer in use.