[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Routing with Xen-Bridge



On 10/15/06 12:11, G.Wendebourg wrote:
> Is there any example-configuration, how to set up networking with a
> bridge, when my xen-system is located behind a router to the inet?
> 
> I'm now having the router with 192.168.0.1.
> 
> On my Xen 3.0 i have the bridge installed and thus eth0 and xenintbr
> running with the added vif's.
> 
> Which configuration might assigned to the netdevices on the xen-system
> with the goal to enable the guests to make connections to the internet
> and also have a forwarding from outside to specific guests (relying on
> the port, thats  questioned from outside) ?
> 
> It seems to be a very standard solution, but I didn't find out, how to
> realize it, after trying several configurations on my guest-systems and
> the Dom-0.
> What has been working was the connect between Dom-0 and guest and after
> configuring masquerading also connect from guest to the internet.
> Also I found, that after altering the network of some guest it was
> stopping its work, even if setting to the initial config and rebooting.
> 

Yes, I posted a patch called network-private to the xen-users list a
week ago or so

http://lists.xensource.com/archives/html/xen-users/2006-09/msg00925.html

Note there is one line in the attachment that got wrapped... near the top

"mac=${mac:-$(awk 'BEGIN { printf "00:16:3e:%02x:%02x:%02x",
int(rand()*127),
int(rand()*255), int(rand()*255); }')}"

needs to be one line.

I am convinced that most of the more complicated xen networking issues
can be resolved using network-private.  It creates a private network,
and vif0 in dom0 is connected to it.

In your example, you use xen-private to create a private network between
the dom0 and domUs.  Then you can set dom0 up as a router same as any
other router forgetting about xen completly... use shorewall or do
something like

iptables -t nat -A PREROUTING -i eth0 -d ipaddr -p tcp --dport whatever
-j DNAT --to localaddr
iptables -t nat -A POSTROUTING -o eth0 -s localnetwork/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

and other rules in the FORWARD chain based on how you want to configure
security...

Also, since you set these rules independent of XEN, and the
configuration of the network is the SAME if xen is running or not
running, these rules in iptables are not affected so will just timeout
(or return "No route to host") if xen is not running.  Starting and
stopping doesn't change the network architecture.

John

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.