[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Using both NAT and Bridge networking on the same host

On 01/27/2013 03:26 PM, Andreas Hilboll wrote:
Am So 27 Jan 2013 12:46:26 CET schrieb Peter Viskup:
On 01/27/2013 12:01 PM, Andreas Hilboll wrote:
I would like to use bridged networking for some domUs and NAT networking
for some other domUs, all on the same dom0. Currently, I only have the
bridged guests running. In xend-config.sxp, I'm not using any
network-script, as I have done the bridge setup manually. The vif-script
is currently set to vif-bridge.
Now I want to add some more domUs, but using NAT (I don't have enough
public IPs on my hosted server). How can I do this without breaking the
bridged networking setup of the already running guests?
Or do I have to change to NAT networking altogether?
Cheers, Andreas.

PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack
Hi Andreas,
it's possible by using the 'script' attribute within the vif
definition. The  xend-config just defines the 'default' script.

vif = ['ip=10.0.0.YZ-AB.CD.EF.GH, vifname=vps-name-pub,

The vif-nat-fw is my own script which is configuring the NAT on the
fly based on the IP pair defined by the 'ip' attribute. Of course you
can also do the mixed setup with NATed and bridged domains.
For more information browse the /etc/xen/scripts directory.
All other questions are welcome. ;-)
Thanks, Peter, works like a charm =)

Next question: I want to run a service on the domU which should be
accessible from the internet. So I guess I have to somehow insert the
appropriate iptables rules. Which would be the place to do that? I guess
you're doing that in your vif-nat-fw script? If so, maybe you would be
willing to share this? Or should I set the rules 'globally' as post-up
in /etc/network/interfaces?

Cheers, Andreas.

No problem Andreas. The way to do it is up to you - depends on the design. I am doing the iptables NAT1:1 on the fly.
This is the diff -u from the vif-nat and my patched vif-nat-fw:

@@ -82,6 +75,10 @@
 if [ "$ip" = "" ]
+# ip in format meaning NAT
+  ext_ip=$(echo $ip | awk -F- '{print $2}')
+  ip=$(echo $ip | awk -F- '{print $1}')

@@ -161,6 +131,21 @@
                                      # are no vifs.

+  if [ "$1" = "up" ]; then
+    IPTABLES="iptables -I"
+    IPTABLESNAT="iptables -t nat -I"
+  else
+    IPTABLES="iptables -D"
+    IPTABLESNAT="iptables -t nat -D"
+  fi
+  $IPTABLESNAT PREROUTING -i bond0 -s -d $3 -j DNAT --to $2
+  $IPTABLESNAT POSTROUTING -o bond0 -s $2 -d -j SNAT --to $3
+  $IPTABLES INPUT -i $vif -s $2 -d -j ACCEPT

@@ -175,9 +160,11 @@
         do_or_die ip route add "$vif_ip" dev "$vif" src "$router_ip"
         echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
         [ "$dhcp" != 'no' ] && dhcp_up
+       nat_1_to_1 up $ip $ext_ip
         [ "$dhcp" != 'no' ] && dhcp_down
+       nat_1_to_1 down $ip $ext_ip
         do_without_error ifconfig "$vif" down

All the iptables rules are applied calling the function nat_1_to_1(). In the beginning I just extract local IP and external IP from the pair of IPs defined by the 'ip' vif's attribute from domU config.
Hope it's clear.

The other way to do is to apply the same iptables rules on all machines in the environment. The rules become effective only in case the traffic will be routed to that machine. Or to implement OpenvSwitch (I plan this for the future).


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.