[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] IP blocking


  • To: shacky <shacky83@xxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
  • From: mail4dla@xxxxxxxxxxxxxx
  • Date: Wed, 8 Aug 2007 10:03:25 +0200
  • Delivery-date: Wed, 08 Aug 2007 01:01:03 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=I5K3uf51LaKjZDxVrIm04rhMzNZZPowI5bPh3+/nueWI8Is8zb8N8pDwRqVBZaYkuBbWgHPvQHDJ1kDxbqEXHAXMTtzzeZdLT8wb6bNdvpBi7y535NiIvkf8b6OarrfyK0jmb/XOceB2f8eethBRJWD+keMbWJ0WDWYxlXEzLTc=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi,

please also reply to the list as this also gives other people the chance to respond ;)

On 8/7/07, shacky < shacky83@xxxxxxxxx> wrote:
How I can disconnect it?

If the DomU is already started, "brctl delif xenbrX vifY.Z" is your friend.
Before starting, you can simply set "bridge=" in the DomU config file.
 

Ok, thank you.
I'm sorry, but I didn't understand how to make the routing... With
some MASQ rules with Shorewall (iptables) on the dom0? And then the
domUs need to configure the dom0 IP address as default gateway?

Yes. But you should use the IP of the vifY.Z interface.
You could also consider doing the routing in a dedicated DomU which is (in theory) a bit more secure, but also more complicated. 

> I can't tell you what to do, because I do not know *excactly* what you're
> aiming at.

I have a simple configuration. A dom0 with some domU, which needs to
have the Internet access through the dom0 eth0. Each domU have a vif
named "vif-[domU's name]", which now is bridged with the dom0.
I have to restrict the IP addresses the domU can use, to avoid the
user to change their IP addresses or add some other virtual interface
(eth0:x).


Yes, and that's the important point: Do you want to do NAT and share one IP or should each DomU have its own IP that is visible to the outside?
In the latter case, the easiest solution is a dedicated subnet for the DomUs that is routed via an IP in the DomU. I.e., all traffic targeted to one of the DomUs is not sent directly there but to the Dom0.
AFAIK, most providers of cheap servers with root access do not offer this.
 

Cheers
dla

> If you're dependent on some sort of provider, i.e. you have rented some
> server, you're probably best at following the already mentioned approach of
> using iptables and ebtables.

Yes, I wish to use iptables. I am using Shorewall as Iptables
configurator, and I wish to continue to use it for the dom0 too...

Please, could you help me?
I am very confused... :-(

Bye!
Mattia.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.