From: Thomas Halinka <lists@xxxxxxxxx>
To: Alexander Zherdev <azherdev@xxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tue, October 26, 2010 9:59:06 AM
Subject: Re: [Xen-users] Xen 3.4.2 networking help
Hi Alexander,
Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> (If this is a double post, I apologize, my email client crashed when I
> first sent it)
>
> I need some help to configure a secure network on my Xen server. I
> have been looking online and it seems a I need a routed network. But I
> am having a terrible time implementing it.
>
> My setup:
>
> Xen 3.4.2
> CentOS 5.5 Dom0
> 1 NIC (eth0)
> All guests will be HVM
>
> What I want to do is something similar to a firewall and port
> forwarding.
>
> e.g.
>
> DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> etc.
>
>
Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> 443 to 10.0.0.50
> Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> 80 + 443 to 10.0.0.60
> etc.
>
> Ideally, the main network card will have a bunch of public IPs that
> will individually route to internal DomU systems that have private IP
> addresses.
So the terms your are searching are SNAT and DNAT. i would't recommend
pure Portforwarding, since it seems to much fiddling, which each
individual port.
Use SNAT and DNAT in Dom0 and protect your domU by simple Port-Filter...
>
> I also need to prevent a DomU from: a) stealing other IPs
this is simple:
vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]
> and b) communicating with other private systems unless Dom0 sais ok.
1) Each domU has its own Bridge
or
2) 10.0.0.50/32 and only ONE Route to
your GW aka Dom0
> Right now, I do not need to have DomU on different physical servers
> sharing same network - what open vswitch provides as I understand it -
> that's phase 2. But of course if it provides what I need above easily,
> then I'm for it.
No Need for openvSwitch - can be easily accomplished with simple
Unix-Tools ;-)
>
> What do I need? I know how to accomplish most of it using real
> hardware with firewalls, vlans, etc.
Just ask aunt google for help, e.g.
http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/seems sufficient for your needs.
>
> I am fairly new to Xen so please, if possible, provide examples.
>
> Alexander Zherdev
>
azherdev@xxxxxxxxxhth,
thomas
> _______________________________________________
> Xen-users mailing list
>
Xen-users@xxxxxxxxxxxxxxxxxxx> http://lists.xensource.com/xen-users_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxxhttp://lists.xensource.com/xen-users