Hi all,
I'm running a CentOS 5.2 server with a FC8 xen domU guest, and an irc server on the FC8 domU guest. For some odd reason, I can't access the irc server on the xen domU guest.
From FC8, when I run netstat -a, I can see irc is listening:
netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ircd *:* LISTEN tcp 0 0 *:6668 *:* LISTEN tcp 0 0 *:6669 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 192.168.10.:afs3-fileserver *:* LISTEN tcp 0 0 localhost.localdomain:smtp *:* LISTEN tcp 0 0 192.168.10.13:ftp 196-209-84-62-tpr-esr:49615 ESTABLISHED tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN
and running nmap on the localhost looks promising as well:
netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ircd *:* LISTEN tcp 0 0 *:6668 *:* LISTEN tcp 0 0 *:6669 *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 196.34.136.:afs3-fileserver *:* LISTEN tcp 0 0 localhost.localdomain:smtp *:* LISTEN tcp 0 0 196.34.136.55:ftp 196-209-84-62-tpr-esr:49615 ESTABLISHED tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN
Yet, from the outside (either from another PC, or the dom0 itself), I can't connect to the irc ports.
I've even disabled iptables on the dom0 altogether, but stil can't connect to it.
The only open ports are: PORT STATE SERVICE 80/tcp open http 443/tcp closed https 7001/tcp closed afs3-callback 8000/tcp closed http-alt 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap
How do I get this to work?
P.S. Sorry for the cross-post, for those of you who are on the centos-virt list as well, I just find that this list is being used more.
Rudi Ahlers wrote on Sun, 10 Aug 2008 08:41:55 +0200:
The only open ports are: PORT STATE SERVICE 80/tcp open http 443/tcp closed https 7001/tcp closed afs3-callback 8000/tcp closed http-alt 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap
Compare that with your lists above. It doesn't fit at all, e.g. there is no https on your other lists. Looks very much like a dns or IP address problem - the latter test is not against the same target although you think it is.
Kai
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudi Ahlers wrote on Sun, 10 Aug 2008 08:41:55 +0200:
The only open ports are: PORT STATE SERVICE 80/tcp open http 443/tcp closed https 7001/tcp closed afs3-callback 8000/tcp closed http-alt 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap
Compare that with your lists above. It doesn't fit at all, e.g. there is no https on your other lists. Looks very much like a dns or IP address problem - the latter test is not against the same target although you think it is.
Kai
--
Hi Kai,
I have noticed that as well, but don't quite know what todo with it.
Running nmap against the VPS, from my home PC, I get the following:
Not shown: 1661 filtered ports PORT STATE SERVICE 21/tcp closed ftp 22/tcp open ssh 25/tcp closed smtp 53/tcp closed domain 80/tcp open http 110/tcp closed pop3 143/tcp closed imap 161/tcp closed snmp 222/tcp closed rsh-spx 443/tcp closed https 873/tcp closed rsync 3306/tcp closed mysql 3389/tcp closed ms-term-serv 8000/tcp closed http-alt 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap 9991/tcp closed issa 9992/tcp closed issc 9999/tcp closed abyss
Nmap finished: 1 IP address (1 host up) scanned in 47.591 seconds
Running nmap against the same IP, from the master the XEN server, I get the following:
Not shown: 1691 filtered ports PORT STATE SERVICE 80/tcp open http 443/tcp closed https 7001/tcp closed afs3-callback 8000/tcp closed http-alt 8080/tcp closed http-proxy 8081/tcp closed blackice-icecap
So, how do you explain this one?
The Xen server is in a different subnet from the Xen domU, but I don't think that would make a difference right?
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:11:06 +0200:
443/tcp closed https
sorry, I dind't look close enough. "closed", of course, means closed ;-)
Did you disable firewall for testing on *every* host that is involved (e.g. on the hosts you try to access/run nmap from), including the gateway? Is this the only IRC service you have running? I'd rather guess you don't have a xen problem, but simply block that port somewhere on the way, and be it on your gateway. Running tcpdump on every involved host may help.
Kai
Hey Kai,
I just made an interesting discovery. As I said in my previous post, the domU is running on a different subnet from the dom0 - and although the traffic from the dom0 to the domU doesn't travel via a switch, it does seem like this is causing a problem
The dom0 is on x.x.136.110/27 (x.x.136.97 = default gw) and the domU is on x.x.136.55/27 (x.x.136.33 = default gw) The subnet mask on both are 255.255.255.224
The server connects to a switch, and then to a firewall on the internet. The network firewall itself has 4 WAN ports, and 4 different subnets. For a fact, I know I can't communicate with a host from one subnet, to a host on another subnet, since the network firewall doesn't allow it.
So, I have a feeling this affect the networking on the Xen server as well, even if I take the network firewall out of the picture.
How do I work with a XEN domU on a different subnet than the XEN dom0?
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:11:06 +0200:
443/tcp closed https
sorry, I dind't look close enough. "closed", of course, means closed ;-)
Did you disable firewall for testing on *every* host that is involved (e.g. on the hosts you try to access/run nmap from), including the gateway? Is this the only IRC service you have running? I'd rather guess you don't have a xen problem, but simply block that port somewhere on the way, and be it on your gateway. Running tcpdump on every involved host may help.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Just an update on this, when I add x.x.136.105 to the domU, and ran nmap on that IP, the IRC ports are open, so that confirms my "theory" - this is then a routing issue between the dom0 & domU, right? But how do I fix it?
On 8/10/08, rudiahlers@gmail.com rudiahlers@gmail.com wrote:
Hey Kai,
I just made an interesting discovery. As I said in my previous post, the domU is running on a different subnet from the dom0 - and although the traffic from the dom0 to the domU doesn't travel via a switch, it does seem like this is causing a problem
The dom0 is on x.x.136.110/27 (x.x.136.97 = default gw) and the domU is on x.x.136.55/27 (x.x.136.33 = default gw) The subnet mask on both are 255.255.255.224
The server connects to a switch, and then to a firewall on the internet. The network firewall itself has 4 WAN ports, and 4 different subnets. For a fact, I know I can't communicate with a host from one subnet, to a host on another subnet, since the network firewall doesn't allow it.
So, I have a feeling this affect the networking on the Xen server as well, even if I take the network firewall out of the picture.
How do I work with a XEN domU on a different subnet than the XEN dom0?
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:11:06 +0200:
443/tcp closed https
sorry, I dind't look close enough. "closed", of course, means closed ;-)
Did you disable firewall for testing on *every* host that is involved (e.g. on the hosts you try to access/run nmap from), including the gateway? Is this the only IRC service you have running? I'd rather guess you don't have a xen problem, but simply block that port somewhere on the way, and be it on your gateway. Running tcpdump on every involved host may help.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
Kind Regards Rudi Ahlers
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 15:00:02 +0200:
But how do I fix it?
Your router is probably routing between the one subnet and outside and the other subnet and outside, but not between the two. Easiest solution is to do what you did: use IP in same subnet. For my Office network I usually put all hosts I want to access from within the network on the same private subnet. If I want to have any of them accessible via one of the public addresses I have I add that address to the host and enable "passthru" in the firewall.
Kai
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:55:30 +0200:
How do I work with a XEN domU on a different subnet than the XEN dom0?
If you just want to "work" with it, you can use xm console. If you want to have a network connection between the two, it's like with any other host, there is no difference between virtual and physical. There is no "magic" that connects host and guest via network. They have to have at least one IP address on the same subnet or a router must route between them.
Kai
Yes, the VPS needs internet access.
So, do I need to make changes on the network firewall? Or what do I do?
I have since addes x.x.136.56 to the hom dom0, and when I nmap the domU, I can see the IRC ports open, but I now I can't connect to them from the internet.
But how do I tell the domU to route all traffic via then new internface, eth0:2 (x.x.136.56) I have added the default gw x.x.136.33 to the dom0 & the domU already
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:55:30 +0200:
How do I work with a XEN domU on a different subnet than the XEN dom0?
If you just want to "work" with it, you can use xm console. If you want to have a network connection between the two, it's like with any other host, there is no difference between virtual and physical. There is no "magic" that connects host and guest via network. They have to have at least one IP address on the same subnet or a router must route between them.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If I use birdge mode for the VPS's, which is the defalt for XEN, then surely the host OS's networking won't make any difference, right?
On 8/10/08, rudiahlers@gmail.com rudiahlers@gmail.com wrote:
Yes, the VPS needs internet access.
So, do I need to make changes on the network firewall? Or what do I do?
I have since addes x.x.136.56 to the hom dom0, and when I nmap the domU, I can see the IRC ports open, but I now I can't connect to them from the internet.
But how do I tell the domU to route all traffic via then new internface, eth0:2 (x.x.136.56) I have added the default gw x.x.136.33 to the dom0 & the domU already
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 14:55:30 +0200:
How do I work with a XEN domU on a different subnet than the XEN dom0?
If you just want to "work" with it, you can use xm console. If you want to have a network connection between the two, it's like with any other host, there is no difference between virtual and physical. There is no "magic" that connects host and guest via network. They have to have at least one IP address on the same subnet or a router must route between them.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--
Kind Regards Rudi Ahlers
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 16:04:20 +0200:
If I use birdge mode for the VPS's, which is the defalt for XEN, then surely the host OS's networking won't make any difference, right?
Depends on how you define "any difference". As I said if you use bridge mode standard xen networking host and guest behave like independant physical machines. You have to do the same that you would do for two physical machines. There is no "magic bond" between them. If you use xen routed networking you should have told so. I've never used that.
Kai
sorry, Kai, I didn't want to confuse you. I don't use xen routed networking. I presume (if I install the XEN guests with virt-install), that I'm using bridged mode - there is a xenbr0 & a few vif.x interfaces.
But I think I know where the problem lies. I need to setup a route between the 2 subnets on the network firewall then.
On 8/10/08, Kai Schaetzl maillists@conactive.com wrote:
Rudiahlers@gmail.com wrote on Sun, 10 Aug 2008 16:04:20 +0200:
If I use birdge mode for the VPS's, which is the defalt for XEN, then surely the host OS's networking won't make any difference, right?
Depends on how you define "any difference". As I said if you use bridge mode standard xen networking host and guest behave like independant physical machines. You have to do the same that you would do for two physical machines. There is no "magic bond" between them. If you use xen routed networking you should have told so. I've never used that.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Kai Schaetzl -
Rudi Ahlers -
rudiahlers@gmail.com