WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen 3.4.2 networking help

To: lists@xxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Xen 3.4.2 networking help
From: Alexander Zherdev <azherdev@xxxxxxxxx>
Date: Tue, 26 Oct 2010 22:12:50 -0700 (PDT)
Cc:
Delivery-date: Tue, 26 Oct 2010 22:14:12 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1288156370; bh=EmSHBhahKAUGHm+saEq/5m+iaOOYBmzkbOHOZwYuqzc=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=fZLkKbL8TvPmLYx9g5RQnKwOVG6UvWJICi0w629zLwM7ZLLwPFuR7nt2WIa/kiD2TNjFEiyyBFHPgxVv0bwh7l2uq/W/iJz+IT7rQPgeafOT6BKcw8hh7D3WkVG7PSsr73zar9JyUPwoPJmVlx7r2W7ABnA9JV3kDyz7B35sDpE=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=JQgY5zW5W32AGT2BYdUVMz+xXbq6kqUBDR8FmPexWn2VbSxFxEFjORDCOmQ01QU9up23Nsdh2WpnthbElpYqkNwZxLepRVl54flT4+iatNvXvZ2UycwANKJQb3ZJUE8X0/AC9Ea+d9rn8ikNc26kwyp2v9X01JS0sXgQ0HWFZIk=;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1288112346.2867.147.camel@E4310>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1288112346.2867.147.camel@E4310>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thank you Thomas,

Few followup questions:

1. Which network mode is best for this configuration? bridge, route, nat?
2. On my box, when I specified the IP in the vif section, it didn't prevent anything nor did it assign that IP. I am booting into Windows 2003 and 2008 DomU.

The only way that I found that I can have Dom0 dictate the IP of the DomU was to enable DHCP on the dnsmasq service in Dom0 and map the MAC to IP on it. Still didn't prevent the Windows user from assigning a static IP of their choice and being able to communicate between systems on the bridge and outside.

Is this a limitation of Windows or HVM or is something mis-configured on my end?

Here is my config of the W2K3 DomU:


import os, re
arch = os.uname()[4]
if re.search('64', arch):
    arch_libdir = 'lib64'
else:
    arch_libdir = 'lib'

kernel = "/usr/lib/xen/boot/hvmloader"
builder='hvm'
memory = 8192
name = "vm-app-1a"
uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E"

vcpus = 2
pae = 1
acpi = 1
apic = 1
cpus = "2-7"

vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02, ip=192.168.122.150' ]

disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ]





device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
boot = "c"

sdl=0
vnc=1
vnclisten="10.20.30.40"
vncpasswd='vncpass'
stdvga=0
serial='pty'
usbdevice='tablet'



Alexander Zherdev
azherdev@xxxxxxxxx



From: Thomas Halinka <lists@xxxxxxxxx>
To: Alexander Zherdev <azherdev@xxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tue, October 26, 2010 9:59:06 AM
Subject: Re: [Xen-users] Xen 3.4.2 networking help

Hi Alexander,

Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> (If this is a double post, I apologize, my email client crashed when I
> first sent it)
>
> I need some help to configure a secure network on my Xen server. I
> have been looking online and it seems a I need a routed network. But I
> am having a terrible time implementing it.
>
> My setup:
>
> Xen 3.4.2
> CentOS 5.5 Dom0
> 1 NIC (eth0)
>  All guests will be HVM
>
> What I want to do is something similar to a firewall and port
> forwarding.
>
> e.g.
>
> DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> etc.
>
> Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> 443 to 10.0.0.50
> Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> 80 + 443 to 10.0.0.60
> etc.
>
> Ideally, the main network card will have a bunch of public IPs that
> will individually route to internal DomU systems that have private IP
> addresses.

So the terms your are searching are SNAT and DNAT. i would't recommend
pure Portforwarding, since it seems to much fiddling, which each
individual port.

Use SNAT and DNAT in Dom0 and protect your domU by simple Port-Filter...

>
> I also need to prevent a DomU from: a) stealing other IPs

this is simple:

vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]

> and b) communicating with other private systems unless Dom0 sais ok.

1) Each domU has its own Bridge
or
2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0

> Right now, I do not need to have DomU on different physical servers
> sharing same network - what open vswitch provides as I understand it -
> that's phase 2. But of course if it provides what I need above easily,
> then I'm for it.

No Need for openvSwitch - can be easily accomplished with simple
Unix-Tools ;-)

>
> What do I need? I know how to accomplish most of it using real
> hardware with firewalls, vlans, etc.

Just ask aunt google for help, e.g.
http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/

seems sufficient for your needs.

>
> I am fairly new to Xen so please, if possible, provide examples.

> Alexander Zherdev
> azherdev@xxxxxxxxx

hth,


thomas


> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users