Here is my output from iptables-save: *nat :PREROUTING ACCEPT [27179:4272858] :POSTROUTING ACCEPT [16:1385] :OUTPUT ACCEPT [1108:71364] -A POSTROUTING -s 192.168.122.0/255.255.255.0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Wed Sep 17 10:06:31 2008 # Generated by iptables-save v1.3.5 on Wed Sep 17 10:06:31 2008 *filter :INPUT ACCEPT [62014:18360950] :FORWARD ACCEPT [17874:8946362] :OUTPUT ACCEPT [13921:2216511] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/255.255.255.0 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/255.255.255.0 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -s 192.168.122.10 -m physdev --physdev-in vif2.0 -j ACCEPT -A FORWARD -p udp -m physdev --physdev-in vif2.0 -m udp --sport 68 --dport 67 -j ACCEPT COMMIT
On Wed, 2008-09-17 at 13:29 -0400, David Dyer-Bennet wrote: > > On Wed, September 17, 2008 12:22, Josh Mullis wrote: > > I actually expected to see some different rules than what I have. > > Not sure what I need to add. > > > > Here are my current tables. > > (Spaces replaced with -'s for formatting) > > > > iptables -L > > Try iptables-save to see *all* the tables (in an incompatible format). > > I'm still struggling with my own setup (with similar goals and > constraints, xen + lvs NAT), but once I got packets directed in, they > came > back out okay. > > The default route on each of the realserver "systems" (quotes to > remind us > that they may be xen guests not physical systems) needs to be set to > the > private net virtual IP of the LVS system -- I've deleted enough > reading up > to here that I can't now go back and check if you have that set right. > > And the LVS NAT works *only* for packets routed in by the LVS; the > realservers can't initiate outgoing connections beyond the private LAN > (unless you turn on ordinary NAT on the LVS, which is not the same > thing > as LVS NAT). > > -- > David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/ > Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ > Photos: http://dd-b.net/photography/gallery/ > Dragaera: http://dragaera.info > > > _______________________________________________ > LinuxVirtualServer.org mailing list - [email protected] > Send requests to [EMAIL PROTECTED] > or go to http://lists.graemef.net/mailman/listinfo/lvs-users > > _______________________________________________ LinuxVirtualServer.org mailing list - [email protected] Send requests to [EMAIL PROTECTED] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
