Hi again,
this is the config of xen in my Debian Etch:
/etc/xen/xend-config
(network-script network-bridge-wrapper)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '')
---------------------------------------------------------------------------
/etc/xen/scripts/network-bridge-wrapper
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
----------------------------------------------------------------------------
the domu (Firewall)
/etc/xen/firewall-config.sxp
name="firewall"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=256
disk=['file:/xen1/firewall.img,hda1,w']
vif=[
'mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0','mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1'
]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="firewall.domain.com"
extra="3"
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
-------------------------------------------------------------------------------
in this domU (the firewall) I have a bridge between eth1 and eth0,
you can do in CentOS way (inside the domain) ;)
here is the config file of a domu behind the FW:
/etc/xen/domu-config.sxp
name="domu"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=92
disk=['file:/xen1/domu.img,hda1,w']
vif=[ 'bridge=xenbrFW , vifname=domu.eth0' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="domu.domain.com"
extra="3"
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'restart'
----------------------------------------------------------------------------------------------------
In the domU (firewall) I have the following iptables config:
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start
iptables=/sbin/iptables
$iptables -F
$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT
# Logs
#$iptables -A INPUT -j LOG --log-prefix="IPTABLES-INPUT: "
#$iptables -A OUTPUT -j LOG --log-prefix="IPTABLES-OUTPUT: "
#$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "
$iptables -A INPUT -i lo -j ACCEPT
# Traffic control
tc qdisc del dev eth0 parent root
tc qdisc add dev eth0 parent root handle 1:0 htb default 40
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
tc qdisc del dev eth1 parent root
tc qdisc add dev eth1 parent root handle 2:0 htb default 40
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
$iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY
--set-class 2:20
$iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY
--set-class 1:20
Sustitute XX.XX.XX.XX by your ip 's ;)
There is an issue with the traffic control in one way, the rate is
multiplied by 2, I don't know the reason :(, I have tested this tc
config with another box without XEN and it works great.
Don't forget to do this:
echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
see the post " iptables and state matches (established, related)"
in this mail list. You can put it in your sysctl.conf.
So... that's all (I hope :) ) if you need anything else.... tell me
Regards,
Marc
Ronan wrote:
Marc
thats exactly what i require...
any of your config would be really helpful!
many thanks in advance!
Ronan
Hi Ronan,
do you want to do something like this (see the image) ?
After reading a lot of stuff I made a wrapper of network-bridge,
that I call network-bridge-wrapper, here is it:
#!/bin/sh
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
I changed the line in xend-config.sxp that calls, network-bridge
to call network-bridge-wrapper ...
If you want I can post more info about this config (my domu
config files, iptables, ebtables....). I'm using Debian, so... I
hope scripts in CentOS are so close to Debian.
Regards,
Marc
Ronan wrote:
My situation:
Running centos5 on a machine directly connected to internet.
I have a paravirtualised centos5 core machine in domu1 with only
1 eth configured eth0 dy dhcp.
What I want:
to configure the dom0 bridge to simply route all traffic at
ethernet level to dom1(firewall/router) and have dom1 then nat
if out to my other domu's and machines on my private 192.168
network using dhcpd configured on eth1 on the machine.
My difficulties:
setting up the dom0 bridging to do what i want ie xenbr0 to eth0
on domu1 and then xenbr1 to eth1 on domu1
I then intend to remove / lock dom0 down and only use the domu's
as dhcp configured servers.
There are a couple of URLs i've looked at
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html
etc but there aren't any specific configuration information.
Can i get some pointers as to where to look, or even example
configs?
thanks
Ronan
(ps if this is the 3rd like message of mine today i apologise, I
can tell if the other two messages i send actually did...)
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
------------------------------------------------------------------------
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
