# xen on a router, iptables help needed [solved]

## qubix

I have tried and tried and think that there is some obvious crazy detail I've missed below that I'm not able to spot. I don't believe that there is a bug.

I have a PC-router, that I thought is powerfull enough to run the mail/web/ssh/squid serwer on a xen virtual machine. The router bit is done on dom0. And I've started migrating it from 192.168.67.2 and .3 to 192.168.68.5 and .6, from a physical box to a xen domain. Below you can find the net config summary, ip routes (as I have 2 net connections) and iptables-save dump. There are two tricky parts: the ip routes stuff chooses the WAN connection basing on local IP address (so if I use 192.168.68.5 on the xen domU it goes out through WAN-TP, and through WAN-ACN if 192.168.68.6 is used) and takes care of the inbound traffic from the Internet, so it is routed correctly on it's way back. Also the xen bridge is on a dummy interface. 

So the thing is, that the hosts on eth[0-4] work exactly as I want them. Traffic between the networks works, from and to the Internet as well. The iptables are a bit messy, as those have been in use and under constant modifications since 2003/2004 i suppose. I've started adding rules for the xen host on the 192.168.68.0/24 network and I ran into problems. 

From the XEN domU I can:

- connect to the Internet as described below,

- SSH to the hosts in the DMZ

- SSH from the hosts in the DMZ

I cannot and would wish to with the XEN domU:

- SSH from the LAN

- SSH to the LAN (for testing, I'll change it to other services like SNMP)

- use the squid on the XEN domU from within the LAN

- access SSH on the domU from the Internet, just like it is done on the DMZ host.

Strangely, I can SSH from 192.168.0.0/24 to 192.168.68.1 (the IP of the router), so the routing works. There must be something in the iptables that I've missed.

Any help/suggestions are welcome.

```

##### net config

eth0   LAN      192.168.0.0/24 +alias 192.168.1.0/24

eth1   DMZ      192.168.67.0/24, hosts on .2, .3

eth2   WAN-TP   83.16.85.XX with 83.16.85.netaddr (net address) and 83.16.85.gwaddr (gw address)

eth3   WAN-ACN   62.121.121.YY

dummy0   DMZ with a bridge for XEN domUs   192.168.68.0/24, hosts on .2, .5, .6

#####     ip routes (always run at startup):

ip route add default via 62.121.123.254 table acn

ip route add default via 83.16.85.gwaddr table tpsa

ip route add 83.16.85.netaddr dev eth2 src 83.16.85.XX table tpsa

ip route add 62.121.120.0 dev eth3 src 62.121.121.YY table acn

ip route add 83.16.85.netaddr dev eth2 src 83.16.85.XX

ip route add 62.121.120.0 dev eth3 src 62.121.121.YY

ip route add default via 83.16.85.gwaddr

ip rule add from 83.16.85.XX table tpsa

ip rule add from 62.121.121.YY table acn

ip route add 192.168.0.0/24 dev eth0 table tpsa

ip route add 192.168.0.0/24 dev eth0 table acn

ip route add 192.168.1.0/24 dev eth0 table tpsa

ip route add 192.168.1.0/24 dev eth0 table acn

ip route add 192.168.67.2 dev eth1 table tpsa

ip route add 192.168.67.2 dev eth1 table acn

ip route add 127.0.0.0/8 dev lo   table tpsa

ip route add 127.0.0.0/8 dev lo   table acn

ip route add 83.16.85.netaddr dev eth2 table acn

ip route add 62.121.120.0 dev eth3  table tpsa

ip rule add from 192.168.0.0/24 table acn

ip rule add from 192.168.1.0/24 table acn

ip rule add from 192.168.67.3 table acn

ip rule add from 192.168.68.6 table acn

##### iptables-save

# Generated by iptables-save v1.4.8 on Wed Feb 29 10:18:50 2012

*nat

:PREROUTING ACCEPT [69390:6031314]

:POSTROUTING ACCEPT [35727:2279599]

:OUTPUT ACCEPT [296:21414]

-A PREROUTING -i eth2 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.67.2:8022

-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.2:80

-A PREROUTING -i eth2 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.67.2:53

-A PREROUTING -i eth2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.67.2:25

-A PREROUTING -i eth2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.67.2:995

-A PREROUTING -s 192.168.0.0/24 -d 83.16.85.XX/32 -i eth0 -j DNAT --to-destination 192.168.67.2

-A PREROUTING -i eth2 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.67.2:53

-A PREROUTING -i eth2 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.67.2:993

-A PREROUTING -i eth2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.67.2:8022

-A PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.3:80

-A PREROUTING -i eth3 -p tcp -m tcp --dport 8022 -j DNAT --to-destination 192.168.67.3:8022

-A PREROUTING -i eth3 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.67.3:53

-A PREROUTING -i eth3 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.67.3:53

-A PREROUTING -i eth3 -p tcp -m tcp --dport 63392 -j DNAT --to-destination 192.168.67.3:63392

-A PREROUTING -i eth3 -p udp -m udp --dport 63392 -j DNAT --to-destination 192.168.67.3:63392

-A PREROUTING -s 192.168.0.0/24 -d 62.121.121.YY/32 -i eth0 -j DNAT --to-destination 192.168.67.2

-A PREROUTING ! -s 192.168.67.2/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.67.2:3128

-A PREROUTING -i eth3 -p tcp -m tcp --dport 8023 -j DNAT --to-destination 192.168.68.6:22

-A PREROUTING -i eth2 -p tcp -m tcp --dport 8023 -j DNAT --to-destination 192.168.68.5:22

-A POSTROUTING -s 192.168.67.0/24 -o eth2 -j MASQUERADE

-A POSTROUTING -s 192.168.67.0/24 -o eth3 -j MASQUERADE

-A POSTROUTING -s 192.168.68.0/24 -o eth3 -j MASQUERADE

-A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE

-A POSTROUTING -s 192.168.0.0/24 -o eth3 -j MASQUERADE

-A POSTROUTING -s 192.168.1.0/24 -o eth2 -j MASQUERADE

-A POSTROUTING -s 192.168.1.0/24 -o eth3 -j MASQUERADE

-A POSTROUTING -s 192.168.68.0/24 -o eth2 -j MASQUERADE

COMMIT

# Completed on Wed Feb 29 10:18:50 2012

# Generated by iptables-save v1.4.8 on Wed Feb 29 10:18:50 2012

*filter

:INPUT DROP [4457:1042803]

:FORWARD DROP [1588:121918]

:OUTPUT ACCEPT [1365:197959]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -s 83.17.253.82/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 192.168.67.2/32 -p tcp -m tcp --dport 162 -j ACCEPT

-A INPUT -s 192.168.67.2/32 -p udp -m udp --dport 161 -j ACCEPT

-A INPUT -s 192.168.67.2/32 -p udp -m udp --dport 162 -j ACCEPT

-A INPUT -s 62.121.126.29/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 192.168.67.2/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 31.11.179.242/32 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A INPUT -s 192.168.68.0/24 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 8022 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT

-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -s 192.168.67.0/24 -d 192.168.1.0/24 -j DROP

-A FORWARD -s 192.168.1.0/24 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 192.168.67.2/32 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p udp -m udp --dport 53 -j ACCEPT

-A FORWARD -i eth2 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.101/32 -p udp -m udp --dport 161 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.100/32 -p udp -m udp --dport 161 -j ACCEPT

-A FORWARD -s 192.168.67.0/24 ! -d 192.168.0.0/24 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 53 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 873 -j ACCEPT

-A FORWARD -s 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.0.10/32 -j ACCEPT

-A FORWARD -s 192.168.0.79/32 -j ACCEPT

-A FORWARD -s 192.168.0.43/32 -j ACCEPT

-A FORWARD -s 192.168.0.4/32 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 8022 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p udp -m udp --dport 53 -j ACCEPT

-A FORWARD -s 192.168.0.100/32 -j ACCEPT

-A FORWARD -s 192.168.0.101/32 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p udp -m udp --dport 63392 -j ACCEPT

-A FORWARD -i eth3 -o eth1 -p tcp -m tcp --dport 63392 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p tcp -m tcp --dport 873 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p udp -m udp --dport 873 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 192.168.67.2/32 -i eth0 -o eth1 -p tcp -m tcp --dport 3128 -j ACCEPT

-A FORWARD -d 91.197.13.0/24 -j DROP

-A FORWARD -s 192.168.0.0/24 ! -d 91.197.13.0/24 -p tcp -m tcp --dport 443 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.130/32 -p udp -m udp --dport 161 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 3389 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 3389 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p udp -m udp --dport 23389 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 23389 -j ACCEPT

-A FORWARD -s 192.168.0.89/32 -j ACCEPT

-A FORWARD -s 192.168.0.95/32 -j ACCEPT

-A FORWARD -s 192.168.0.69/32 -j ACCEPT

-A FORWARD -s 192.168.0.80/32 -j ACCEPT

-A FORWARD -s 192.168.0.70/32 -j ACCEPT

-A FORWARD -s 192.168.0.60/32 -j ACCEPT

-A FORWARD -s 192.168.0.53/32 -j ACCEPT

-A FORWARD -s 192.168.0.67/32 -j ACCEPT

-A FORWARD -s 192.168.0.41/32 -j ACCEPT

-A FORWARD -s 192.168.0.81/32 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.132/32 -p udp -m udp --dport 161 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.0.33/32 -j ACCEPT

-A FORWARD -s 192.168.0.99/32 -j ACCEPT

-A FORWARD -s 192.168.0.144/32 -d 62.121.128.20/32 -j ACCEPT

-A FORWARD -s 192.168.67.2/32 -d 192.168.0.144/32 -p udp -m udp --dport 161 -j ACCEPT

-A FORWARD -s 192.168.67.0/24 -d 192.168.0.0/24 -j DROP

-A FORWARD -s 192.168.0.0/24 -d 192.168.68.0/24 -j ACCEPT

-A FORWARD -s 192.168.68.5/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.68.5/32 -d 192.168.0.100/32 -p tcp -m tcp --dport 22 -j ACCEPT

-A FORWARD -s 192.168.68.0/24 -j ACCEPT

-A FORWARD -s 192.168.68.2/32 -d 192.168.0.132/32 -p tcp -m tcp --dport 22 -j ACCEPT

COMMIT

# Completed on Wed Feb 29 10:18:50 2012

```

----------

## qubix

ok, solved.

things missing:

```

ip route add 192.168.68.0/24 dev dummy0 table tpsa

ip route add 192.168.68.0/24 dev dummy0 table acn
```

and FORWARD ACCEPT for packets comming in and out of the dummy0 interface. Now I can polish it a bit, and clean up the mess. I'm motivated  now. Some lines of that config remember the times when slackware used to be cool.

Strange. It seems that you need to define the interface when it comes to dummy/bridge interfaces but you don't when it comes to regular NICs.

----------

