XenサーバでのIPマスカレードの設定。

【テーブル情報確認(変更前)】



# iptables-save

iptables-saveは、保存コマンドではないので注意しましょう。
iptables-saveは、ルールの出力で、現在のルールを保存する場合は、



# iptables-save > filename

で現在のルールのバックアップを取りましょう。



 # Generated by iptables-save v1.3.5 on Thu Jul 29 20:38:46 2010

 *nat

 :PREROUTING ACCEPT [656:85288]

 :POSTROUTING ACCEPT [23:1360]

 :OUTPUT ACCEPT [36:2260]

 -A POSTROUTING -s 192.168.80.0/255.255.255.0 -o eth0 -j MASQUERADE 

 -A POSTROUTING -o eth0 -j MASQUERADE 

 COMMIT

 # Completed on Thu Jul 29 20:38:46 2010

 # Generated by iptables-save v1.3.5 on Thu Jul 29 20:38:46 2010

 *filter

 :INPUT ACCEPT [3462:806791]

 :FORWARD ACCEPT [0:0]

 :OUTPUT ACCEPT [1982:655230]

 -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT 

 -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT 

 -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT 

 -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT 

 -A FORWARD -d 192.168.80.0/255.255.255.0 -i eth0 -o virbr0 -m state--state RELATED,ESTABLISHED -j ACCEPT 

 -A FORWARD -s 192.168.80.0/255.255.255.0 -i virbr0 -o eth0 -j ACCEPT 

 -A FORWARD -i virbr0 -o virbr0 -j ACCEPT 

 -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable 

 -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable 

 -A FORWARD -m physdev  --physdev-in vif1.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif2.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif2.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif3.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif3.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif4.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif4.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif5.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif5.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif6.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif6.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif7.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif7.1 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif8.0 -j ACCEPT 

 -A FORWARD -m physdev  --physdev-in vif8.1 -j ACCEPT 

 COMMIT

 # Completed on Thu Jul 29 20:38:46 2010

＊赤字の部分で、パケットが外にでていなかったので、削除致しました。
パケットは中には、入ってくるが外にでれない状態でした。
　-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
だけ消せばいいが念のために両方削除致しました。

【xend-config.sxpの編集】

■Xenの起動時のネットワーク変更



#cd /etc/xen

# vi /etc/xen/xend-config.sxp

変更前



(network-script network-bridge)

(vif-script vif-bridge)
## Use the following if network traffic is routed with NAT, as an alternative

# to the settings for bridged networking given above.

#(network-script network-nat)

#(vif-script     vif-nat)

変更後



#(network-script network-bridge)

#(vif-script vif-bridge)
## Use the following if network traffic is routed with NAT, as an alternative

# to the settings for bridged networking given above.

#(network-script network-nat)

(network-script network-nat-custom)

#(vif-script     vif-nat)

【Xen起動時のxendのスクリプト作成】

■スクリプトの作成



# cd /etc/xen/scripts/

# vi network-nat-custom



 #!/bin/sh

 #============================================================================

 # Custom Xen network script when using NAT.

 # Xend calls a network script when it starts.

 # The script name to use is defined in /etc/xen/xend-config.sxp

 # in the network-script field.

 #

 # Author Date:#

 # Ando 2010/08/12

 #

 # Usage:

 #

 # custom-network-nat 

 #

 # Vars:

 #

 # libvirtbr  The Virtual Switch (default virbr0).

 #            Path /etc/libvirt/qemu/networks/virbr0.xml

 # netdev     The interface Masquerade Ethernet (default eth0}).

 #

 #============================================================================


 ##################################################

 # Vars

 ##################################################

 netdev=${netdev:-eth0}

 libvirtbr=${libvirtbr:-virbr0}
 ##################################################

 # Initialize 

 ##################################################

 iptables -t nat -F POSTROUTING
 ##################################################

 # POSTROUTING

 ##################################################

 # MASQUERADE 

 iptables -t nat -A POSTROUTING -s 192.168.80.0/255.255.255.0 -j SNAT --to-source 192.168.0.52
 # MASQUERADE

 iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE


 ##################################################

 # POSTROUTING

 ##################################################

 # Some clean-up of iptables rules inserted by libvirtd.

 iptables -D FORWARD -o ${libvirtbr} -j REJECT --reject-with icmp-port-unreachable

 iptables -D FORWARD -i ${libvirtbr} -j REJECT --reject-with icmp-port-unreachable


 ##################################################

 # NAPT

 ##################################################

 # NAPT 

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8081 -j DNAT --to 192.168.80.81:80

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8082 -j DNAT --to 192.168.80.82:80

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8083 -j DNAT --to 192.168.80.83:80

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8084 -j DNAT --to 192.168.80.84:80

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8085 -j DNAT --to 192.168.80.85:80

 iptables -t nat -A PREROUTING -d 192.168.0.*** -i eth0 -p tcp --dport 8086 -j DNAT --to 192.168.80.86:80