[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen 3.4.2 networking help

Hi Alexander,

Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> (If this is a double post, I apologize, my email client crashed when I
> first sent it)
> 
> I need some help to configure a secure network on my Xen server. I
> have been looking online and it seems a I need a routed network. But I
> am having a terrible time implementing it.
> 
> My setup:
> 
> Xen 3.4.2
> CentOS 5.5 Dom0
> 1 NIC (eth0)
>  All guests will be HVM
> 
> What I want to do is something similar to a firewall and port
> forwarding.
> 
> e.g.
> 
> DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> etc.
> 
> Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> 443 to 10.0.0.50
> Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> 80 + 443 to 10.0.0.60
> etc.
> 
> Ideally, the main network card will have a bunch of public IPs that
> will individually route to internal DomU systems that have private IP
> addresses.

So the terms your are searching are SNAT and DNAT. i would't recommend
pure Portforwarding, since it seems to much fiddling, which each
individual port.

Use SNAT and DNAT in Dom0 and protect your domU by simple Port-Filter...

> 
> I also need to prevent a DomU from: a) stealing other IPs 

this is simple:

vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]

> and b) communicating with other private systems unless Dom0 sais ok.

1) Each domU has its own Bridge
or
2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0

> Right now, I do not need to have DomU on different physical servers
> sharing same network - what open vswitch provides as I understand it -
> that's phase 2. But of course if it provides what I need above easily,
> then I'm for it.

No Need for openvSwitch - can be easily accomplished with simple
Unix-Tools ;-)

> 
> What do I need? I know how to accomplish most of it using real
> hardware with firewalls, vlans, etc.

Just ask aunt google for help, e.g.
http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/

seems sufficient for your needs.

> 
> I am fairly new to Xen so please, if possible, provide examples.
>  
> Alexander Zherdev
> azherdev@xxxxxxxxx

hth,


thomas


> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.