xen iptables redirect problem
This may not apply to more recent versions of xen and centos, however, running kernel 2.6.18-xen_3.1.0 on CentOS 4.5 I have found that port redirection doesn’t work as expected.
We have some roaming users who send mail through our mail server using smtp authentication, unfortunately when they connect through a vodafone 3G dongle they have been complaining that they were receiving a temporary failure message (421 service not available). Having made sure that it was not our mail server sending this error message, it would appear that vodafone intercept port 25 (smtp) traffic.
We used to simply redirect another port (in this example port 2525) to port 25 to get around this:
iptables -t nat -D PREROUTING -i eth0 -p TCP --dport 2525 -j REDIRECT --to-ports 25
However, since installing xen, the above no longer works in Dom0 – I believe it is something to do with packets no longer entering the box on eth0, xen has added peth0 and xenbr0 and packets flow through these before finding their way to eth0.
Changing the incoming interface to peth0 or xenbr0 doesn’t work, the packets appear to vanish (at least, I failed to find which interface they had gone to using tcpdump).
eventually, I found an answer that worked for me, using the DNAT target on the bridge:
iptables -t nat -I PREROUTING -i xenbr0 -p TCP -d <ip-address-of-eth0> --dport 2525 -j DNAT --to-destination <ip-address-of-eth0>:25