Xen on Ubuntu 18.04 with IPv4 (NAT) and IPv6
I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.
My network is configured using Netplan as follows:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false
The installation and configuration of XEN:
sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot
VM's should be accessible to and from the Internet using IP forwarding and NAT.
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent
The NAT part:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forward HTTP and HTTPS requests to our VM2 server:
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443
We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.
ubuntu iptables bridge nat xen
add a comment |
I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.
My network is configured using Netplan as follows:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false
The installation and configuration of XEN:
sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot
VM's should be accessible to and from the Internet using IP forwarding and NAT.
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent
The NAT part:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forward HTTP and HTTPS requests to our VM2 server:
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443
We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.
ubuntu iptables bridge nat xen
1
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57
add a comment |
I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.
My network is configured using Netplan as follows:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false
The installation and configuration of XEN:
sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot
VM's should be accessible to and from the Internet using IP forwarding and NAT.
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent
The NAT part:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forward HTTP and HTTPS requests to our VM2 server:
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443
We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.
ubuntu iptables bridge nat xen
I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.
My network is configured using Netplan as follows:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false
The installation and configuration of XEN:
sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot
VM's should be accessible to and from the Internet using IP forwarding and NAT.
sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent
The NAT part:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Forward HTTP and HTTPS requests to our VM2 server:
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443
We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.
ubuntu iptables bridge nat xen
ubuntu iptables bridge nat xen
edited Jan 21 at 11:31
JonasVH
asked Jan 18 at 9:36
JonasVHJonasVH
13114
13114
1
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57
add a comment |
1
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57
1
1
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495239%2fxen-on-ubuntu-18-04-with-ipv4-nat-and-ipv6%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495239%2fxen-on-ubuntu-18-04-with-ipv4-nat-and-ipv6%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).
– ctrl-alt-delor
Jan 20 at 15:57