|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Using both NAT and Bridge networking on the same host
On 01/27/2013 03:26 PM, Andreas Hilboll wrote: Am So 27 Jan 2013 12:46:26 CET schrieb Peter Viskup:On 01/27/2013 12:01 PM, Andreas Hilboll wrote:Hi, I would like to use bridged networking for some domUs and NAT networking for some other domUs, all on the same dom0. Currently, I only have the bridged guests running. In xend-config.sxp, I'm not using any network-script, as I have done the bridge setup manually. The vif-script is currently set to vif-bridge. Now I want to add some more domUs, but using NAT (I don't have enough public IPs on my hosted server). How can I do this without breaking the bridged networking setup of the already running guests? Or do I have to change to NAT networking altogether? Cheers, Andreas. PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstackHi Andreas, it's possible by using the 'script' attribute within the vif definition. The xend-config just defines the 'default' script. <code> vif = ['ip=10.0.0.YZ-AB.CD.EF.GH, vifname=vps-name-pub, script=vif-nat-fw'] </code> The vif-nat-fw is my own script which is configuring the NAT on the fly based on the IP pair defined by the 'ip' attribute. Of course you can also do the mixed setup with NATed and bridged domains. For more information browse the /etc/xen/scripts directory. All other questions are welcome. ;-)Thanks, Peter, works like a charm =) Next question: I want to run a service on the domU which should be accessible from the internet. So I guess I have to somehow insert the appropriate iptables rules. Which would be the place to do that? I guess you're doing that in your vif-nat-fw script? If so, maybe you would be willing to share this? Or should I set the rules 'globally' as post-up in /etc/network/interfaces? Cheers, Andreas. No problem Andreas. The way to do it is up to you - depends on the design. I am doing the iptables NAT1:1 on the fly.
This is the diff -u from the vif-nat and my patched vif-nat-fw:
<code>
@@ -82,6 +75,10 @@
if [ "$ip" = "" ]
then
ip=$(ip_from_dom)
+else
+# ip in format 10.0.0.5-80.94.54.5 meaning NAT
+ ext_ip=$(echo $ip | awk -F- '{print $2}')
+ ip=$(echo $ip | awk -F- '{print $1}')
fi
@@ -161,6 +131,21 @@
# are no vifs.
}
+nat_1_to_1()
+{
+ if [ "$1" = "up" ]; then
+ IPTABLES="iptables -I"
+ IPTABLESNAT="iptables -t nat -I"
+ else
+ IPTABLES="iptables -D"
+ IPTABLESNAT="iptables -t nat -D"
+ fi
+ $IPTABLESNAT PREROUTING -i bond0 -s 0.0.0.0/0 -d $3 -j DNAT --to $2
+ $IPTABLESNAT POSTROUTING -o bond0 -s $2 -d 0.0.0.0/0 -j SNAT --to $3
+ $IPTABLES INPUT -i $vif -s $2 -d 0.0.0.0/0 -j ACCEPT
+ $IPTABLES FORWARD -s 0.0.0.0/0 -d $2 -j ACCEPT
+ $IPTABLES FORWARD -s $2 -d 0.0.0.0/0 -j ACCEPT
+}
@@ -175,9 +160,11 @@
do_or_die ip route add "$vif_ip" dev "$vif" src "$router_ip"
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
[ "$dhcp" != 'no' ] && dhcp_up
+ nat_1_to_1 up $ip $ext_ip
;;
offline)
[ "$dhcp" != 'no' ] && dhcp_down
+ nat_1_to_1 down $ip $ext_ip
do_without_error ifconfig "$vif" down
;;
esac
</code>
All the iptables rules are applied calling the function nat_1_to_1(). In
the beginning I just extract local IP and external IP from the pair of
IPs defined by the 'ip' vif's attribute from domU config.
Hope it's clear.The other way to do is to apply the same iptables rules on all machines in the environment. The rules become effective only in case the traffic will be routed to that machine. Or to implement OpenvSwitch (I plan this for the future). -- Peter _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxx http://lists.xen.org/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |