On Friday 02 September 2005 12:10, you wrote:
> >>My problem:
> >>
> >>I cannot reach the internet from the xenU domain.
> >>How do I set it up? Outgoing packets do not seem to be natted.
> >
> > incoming packages (from domU as well as from eth1) will appear as comming
> > from "xen-br0" once xen is started.
> >
> > You'll have to adapt your nat scripts to use "xen-br0" as
> > "internal"/"dmz" device.
> >
> > Maybe you'll also have to fix your routing tables on dom0 to use the
> > xen-br0 device instead of eth1.
>
> can you provide a few sample iptables commands for this to work?
>
Ok, some (untested) example:
eth0: 1.2.3.4, "world" device with official IP
192.168.1.0/24 is the natted subnet with 192.168.1.1 being the router,
192.168.1.2 being the domU, rest of subnet attached to router on eth1
I'd start with creating the bridge myself, that way its up before xen, and I
can start the networking/firewall before booting domU,
so configure eth1 WITHOUT IP address, create a bridge, say "br0", with eth1
attached, set IP on br0 to 192.168.1.1, set netmask.
Routing table should now contain something like
# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
and no references to eth1 in there
All of this might be doable with your distributions startup scripts, so
nothing to code yourself this far...
now to setup your NAT rules, if you use something premade for your
distribution, check its config, and replace every occurance of "eth1" with
"br0"
bootup domU, change its config to attach its network to "br0" instead of
"xen-br0"
otherwise,
# iptables -t nat -A PREROUTING -i br0 -o eth1 -j SNAT --to 1.2.3.4
might do the trick.
now domU should be natted, and the nat for boxes connected to eth1 should
still work.
/Ernst
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|