iptables / NAT in Xen

In following these instructions to get Xen setup with a NAT configuration for guests, I encountered the classic error:

# iptables -L
FATAL: Module ip_tables not found.
iptables v1.3.6: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I can never remember what kernel options are necessary for NAT. They’re described in a post to xen-users here:

cd xen-unstable.hg
make linux-2.6-xen0-config
Networking —> Networking options —> Network packet filtering
(replaces ipchains) —> Core Netfilter Configuration —> Netfilter
Xtables support (required for ip_tables) and do enable all modules
included in that as per your need.
Then go to – Networking —> Networking options —> Network packet
filtering (replaces ipchains) —> IP: Netfilter Configuration —>
IP tables support (required for filtering/masq/NAT)

You can only go to the second step after doing the first one.

make linux-2.6-xen0-build
make linux-2.6-xen0-install

The Perfect Xen Setup for Debian and Ubuntu has a nice explanation of how to setup iptables and port forwarding.

/etc/network/if-up.d/iptables:

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

### Port Forwarding ###
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.3.2:80
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 25 -j DNAT --to 192.168.3.3:25
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 110 -j DNAT --to 192.168.3.3:110

You must also `chmod 755 /etc/network/if-up.d/iptables`.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s