WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] howto do NAT from a bridged xenU on dual homed host with

To: Ron Arts <ron.arts@xxxxxxxxxx>
Subject: Re: [Xen-users] howto do NAT from a bridged xenU on dual homed host with one public ip?
From: Ernst Bachmann <e.bachmann@xxxxxxxx>
Date: Fri, 2 Sep 2005 12:29:49 +0200
Cc: Xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 02 Sep 2005 10:27:52 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <431824F8.8030102@xxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <43181E6D.7050807@xxxxxxxxxx> <200509021158.50845.e.bachmann@xxxxxxxx> <431824F8.8030102@xxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.1
On Friday 02 September 2005 12:10, you wrote:

> >>My problem:
> >>
> >>I cannot reach the internet from the xenU domain.
> >>How do I set it up? Outgoing packets do not seem to be natted.
> >
> > incoming packages (from domU as well as from eth1) will appear as comming
> > from "xen-br0" once xen is started.
> >
> > You'll have to adapt your nat scripts to use "xen-br0" as
> > "internal"/"dmz" device.
> >
> > Maybe you'll also have to fix your routing tables on dom0 to use the
> > xen-br0 device instead of eth1.
>
> can you provide a few sample iptables commands for this to work?
>
Ok, some (untested) example:

eth0: 1.2.3.4, "world" device with official IP

192.168.1.0/24 is the natted subnet with 192.168.1.1 being the router, 
192.168.1.2 being the domU, rest of subnet attached to router on eth1

I'd start with creating the bridge myself, that way its up before xen, and I 
can start the networking/firewall before booting domU,
so configure eth1 WITHOUT IP address, create a bridge, say "br0", with eth1 
attached, set IP on br0 to 192.168.1.1, set netmask.
Routing table should now contain something like
# route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0   br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.1     0.0.0.0         UG    0      0        0  eth0
and no references to eth1 in there

All of this might be doable with your distributions startup scripts, so 
nothing to code yourself this far...

now to setup your NAT rules, if you use something premade for your 
distribution, check its config, and replace every occurance of "eth1" with 
"br0"

bootup domU, change its config to attach its network to "br0" instead of 
"xen-br0"


otherwise, 
# iptables -t nat -A PREROUTING -i br0 -o eth1 -j SNAT --to 1.2.3.4 
might do the trick.

now domU should be natted, and the nat for boxes connected to eth1 should 
still work.

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>