[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] howto do NAT from a bridged xenU on dual homed host with one public ip?

On Friday 02 September 2005 12:10, you wrote:

> >>My problem:
> >>
> >>I cannot reach the internet from the xenU domain.
> >>How do I set it up? Outgoing packets do not seem to be natted.
> >
> > incoming packages (from domU as well as from eth1) will appear as comming
> > from "xen-br0" once xen is started.
> >
> > You'll have to adapt your nat scripts to use "xen-br0" as
> > "internal"/"dmz" device.
> >
> > Maybe you'll also have to fix your routing tables on dom0 to use the
> > xen-br0 device instead of eth1.
>
> can you provide a few sample iptables commands for this to work?
>
Ok, some (untested) example:

eth0: 1.2.3.4, "world" device with official IP

192.168.1.0/24 is the natted subnet with 192.168.1.1 being the router, 
192.168.1.2 being the domU, rest of subnet attached to router on eth1

I'd start with creating the bridge myself, that way its up before xen, and I 
can start the networking/firewall before booting domU,
so configure eth1 WITHOUT IP address, create a bridge, say "br0", with eth1 
attached, set IP on br0 to 192.168.1.1, set netmask.
Routing table should now contain something like
# route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0   br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.1     0.0.0.0         UG    0      0        0  eth0
and no references to eth1 in there

All of this might be doable with your distributions startup scripts, so 
nothing to code yourself this far...

now to setup your NAT rules, if you use something premade for your 
distribution, check its config, and replace every occurance of "eth1" with 
"br0"

bootup domU, change its config to attach its network to "br0" instead of 
"xen-br0"


otherwise, 
# iptables -t nat -A PREROUTING -i br0 -o eth1 -j SNAT --to 1.2.3.4 
might do the trick.

now domU should be natted, and the nat for boxes connected to eth1 should 
still work.

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.