WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen 3.4.2 networking help

To: lists@xxxxxxxxx, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Xen 3.4.2 networking help
From: Alexander Zherdev <azherdev@xxxxxxxxx>
Date: Tue, 26 Oct 2010 23:54:13 -0700 (PDT)
Cc:
Delivery-date: Tue, 26 Oct 2010 23:56:07 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1288162454; bh=Mxn58iqRoOGf/5HRwyLU1BgHSIrmnV0E0SWq+JVNerg=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=jh8cTkuGfENSbA3eCGVFA2lbPDPUhGMICLs2niTcVM8yiEb/cvpS35f8X78EBOdjzbsSBuehEXjdpTVfEfSJlffVIvBK7/8+S9hhJEt2qO3LHSeyisQ/wnScZL42/cBQDkGfBcEAs8K6TD4G2nEbKUHGH9FIeuWUpGvihxb9Jo0=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=ulb/8mm06p0ESW+trtT/K+LflTYwiW7DRW5wSm3h6Gq+Uzca4vzgKn484k7fG5+pWkhjP+oTKpI+Lid7iW/xdpOjH+kjyKkLZ5HqMt+YeVURLO+BV1mtFZufN3xBXwszCyY/MVjslMrQS9RCyBCzsy1Kosi5T1VwJWb5tDtMq+0=;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1288112346.2867.147.camel@E4310>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <1288112346.2867.147.camel@E4310>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Pardon my long email below, I hope it will shed some light.

I've googled and tried various things but nothing seem to work. I have upgraded to 3.4.3 of Xen and the kernel had an update too.

My brain is fried right now. The only thing that seems to work is bridged mode. In bridged mode, my DomU gets the DHCP from dnsmasq and it can then surf the web. But I can't get to it from outside. In route or nat mode, the DomU can't even get out. Below is a test in NAT mode of xend.

Below I have a pretty verbose output of iptables, ip r, and ifconfig right after I boot the physical server, then after I start the DomU, and then after I apply the SNAT and DNAT settings (only ip r changes then).

I appreciate any help that you have.

-----------------------------

Kernel:  2.6.18-194.17.4.el5xen
Xen: 3.4.3
Source: www.gitco.de

/etc/xen/xend-config.sxp
    (network-nat)
    (vif-nat)

Attempted the SNAT/DNAT configuration using this:

iptables -t nat -A PREROUTING -i eth0 -d XXX.XXX.XXX.70 -j DNAT --to-destination 192.168.122.150
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.122.150 -j SNAT --to-source XXX.XXX.XXX.70
route add -host XXX.XXX.XXX.70 vif1.0
arp -Ds XXX.XXX.XXX.70 vif1.0
-> SIOCSARP: Invalid argument
   
Windows Configuration
    DHCP
    IP 192.168.122.150
    MS 255.255.255.0
    GW 192.168.122.1
   
CLEAN BOOT ------------------------------------
   
ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet addr:XXX.XXX.XXX.67  Bcast:XXX.XXX.XXX.95  Mask:255.255.255.224
              inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    eth0:1    Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet addr:XXX.XXX.XXX.70  Bcast:XXX.XXX.XXX.95  Mask:255.255.255.224
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1

    peth0     Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Memory:fafe0000-fb000000

    virbr0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00
              inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
              inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

ip r
    XXX.XXX.XXX.64/27 dev eth0  proto kernel  scope link  src XXX.XXX.XXX.67
    192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1
    169.254.0.0/16 dev eth0  scope link
    default via XXX.XXX.XXX.65 dev eth0

/etc/dnsmasq.conf
    dhcp-range=192.168.122.10,192.168.122.250,255.255.255.0,12h
    dhcp-host=00:16:3e:00:01:02,192.168.122.150

/vm/cfg/vm-000002/vm-000002.xen
    import os, re
    arch = os.uname()[4]
    if re.search('64', arch):
        arch_libdir = 'lib64'
    else:
        arch_libdir = 'lib'

    kernel = "/usr/lib/xen/boot/hvmloader"
    builder='hvm'
    memory = 8192
    name = "vm-app-1a"
    uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E"

    vcpus = 2
    pae = 1
    acpi = 1
    apic = 1
    cpus = "2-7"
    vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02, ip=192.168.122.150' ]

    disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ]

   
   
   

    device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
    boot = "c"

    sdl=0
    vnc=1
    vnclisten="XXX.XXX.XXX.67"
    vncpasswd='vnc'
    stdvga=0
    serial='pty'
    usbdevice='tablet'

   

AFTER VM CREATED ------------------------------------




ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet addr:XXX.XXX.XXX.67  Bcast:XXX.XXX.XXX.95  Mask:255.255.255.224
              inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    eth0:1    Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet addr:XXX.XXX.XXX.70  Bcast:XXX.XXX.XXX.95  Mask:255.255.255.224
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1

    peth0     Link encap:Ethernet  HWaddr 00:25:90:1B:E6:7E
              inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Memory:fafe0000-fb000000

    tap1.0    Link encap:Ethernet  HWaddr 2E:59:30:A2:97:17
              inet6 addr: fe80::2c59:30ff:fea2:9717/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
              inet addr:192.168.122.21  Bcast:0.0.0.0  Mask:255.255.255.255
              UP BROADCAST MULTICAST  MTU:1500  Metric:1

    virbr0    Link encap:Ethernet  HWaddr 2E:59:30:A2:97:17
              inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
              inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0
    ACCEPT     udp  --  anywhere             anywhere            PHYSDEV match --physdev-in vif1.0 udp spt:bootpc dpt:bootps
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0
    ACCEPT     all  --  192.168.122.150      anywhere            PHYSDEV match --physdev-in vif1.0
    ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

ip r
    192.168.122.150 dev vif1.0  scope link  src 192.168.122.21
    XXX.XXX.XXX.64/27 dev eth0  proto kernel  scope link  src XXX.XXX.XXX.67
    192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1
    169.254.0.0/16 dev eth0  scope link
    default via XXX.XXX.XXX.65 dev eth0

   
AFTER SNAT/DNAT -----------------------------
   
    192.168.122.150 dev vif1.0  scope link  src 192.168.122.21
    XXX.XXX.XXX.70 dev vif1.0  scope link
    XXX.XXX.XXX.64/27 dev eth0  proto kernel  scope link  src XXX.XXX.XXX.67
    192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1
    169.254.0.0/16 dev eth0  scope link
    default via XXX.XXX.XXX.65 dev eth0



 
Alexander Zherdev
azherdev@xxxxxxxxx



From: Thomas Halinka <lists@xxxxxxxxx>
To: Alexander Zherdev <azherdev@xxxxxxxxx>
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Sent: Tue, October 26, 2010 9:59:06 AM
Subject: Re: [Xen-users] Xen 3.4.2 networking help

Hi Alexander,

Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> (If this is a double post, I apologize, my email client crashed when I
> first sent it)
>
> I need some help to configure a secure network on my Xen server. I
> have been looking online and it seems a I need a routed network. But I
> am having a terrible time implementing it.
>
> My setup:
>
> Xen 3.4.2
> CentOS 5.5 Dom0
> 1 NIC (eth0)
>  All guests will be HVM
>
> What I want to do is something similar to a firewall and port
> forwarding.
>
> e.g.
>
> DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same
> address and simplifies in creating templates)
> etc.
>
> Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> 443 to 10.0.0.50
> Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> 80 + 443 to 10.0.0.60
> etc.
>
> Ideally, the main network card will have a bunch of public IPs that
> will individually route to internal DomU systems that have private IP
> addresses.

So the terms your are searching are SNAT and DNAT. i would't recommend
pure Portforwarding, since it seems to much fiddling, which each
individual port.

Use SNAT and DNAT in Dom0 and protect your domU by simple Port-Filter...

>
> I also need to prevent a DomU from: a) stealing other IPs

this is simple:

vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]

> and b) communicating with other private systems unless Dom0 sais ok.

1) Each domU has its own Bridge
or
2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0

> Right now, I do not need to have DomU on different physical servers
> sharing same network - what open vswitch provides as I understand it -
> that's phase 2. But of course if it provides what I need above easily,
> then I'm for it.

No Need for openvSwitch - can be easily accomplished with simple
Unix-Tools ;-)

>
> What do I need? I know how to accomplish most of it using real
> hardware with firewalls, vlans, etc.

Just ask aunt google for help, e.g.
http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/

seems sufficient for your needs.

>
> I am fairly new to Xen so please, if possible, provide examples.

> Alexander Zherdev
> azherdev@xxxxxxxxx

hth,


thomas


> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users