Hi Alexander,
Am Dienstag, den 26.10.2010, 22:12 -0700 schrieb Alexander Zherdev:
> Thank you Thomas,
>
> Few followup questions:
>
> 1. Which network mode is best for this configuration? bridge, route,
> nat?
bridged-setup
> 2. On my box, when I specified the IP in the vif section, it didn't
> prevent anything nor did it assign that IP. I am booting into Windows
> 2003 and 2008 DomU.
Oh, you didnt say ur using HVM....
> The only way that I found that I can have Dom0 dictate the IP of the
> DomU was to enable DHCP on the dnsmasq service in Dom0 and map the MAC
> to IP on it. Still didn't prevent the Windows user from assigning a
> static IP of their choice and being able to communicate between
> systems on the bridge and outside.
the ip-statement only works with pv-domains...
>
> Is this a limitation of Windows or HVM or is something mis-configured
> on my end?
hvm.
>
> Here is my config of the W2K3 DomU:
>
>
> import os, re
> arch = os.uname()[4]
> if re.search('64', arch):
> arch_libdir = 'lib64'
> else:
> arch_libdir = 'lib'
>
> kernel = "/usr/lib/xen/boot/hvmloader"
> builder='hvm'
> memory = 8192
> name = "vm-app-1a"
> uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E"
>
> vcpus = 2
> pae = 1
> acpi = 1
> apic = 1
> cpus = "2-7"
>
> vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02,
> ip=192.168.122.150' ]
>
> disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ]
>
> on_poweroff = 'destroy'
> on_reboot = 'restart'
> on_crash = 'restart'
>
> device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
> boot = "c"
>
> sdl=0
> vnc=1
> vnclisten="10.20.30.40"
> vncpasswd='vncpass'
> stdvga=0
> serial='pty'
> usbdevice='tablet'
>
>
>
>
> Alexander Zherdev
> azherdev@xxxxxxxxx
>
>
>
>
> ______________________________________________________________________
> From: Thomas Halinka <lists@xxxxxxxxx>
> To: Alexander Zherdev <azherdev@xxxxxxxxx>
> Cc: xen-users@xxxxxxxxxxxxxxxxxxx
> Sent: Tue, October 26, 2010 9:59:06 AM
> Subject: Re: [Xen-users] Xen 3.4.2 networking help
>
> Hi Alexander,
>
> Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> > (If this is a double post, I apologize, my email client crashed when
> I
> > first sent it)
> >
> > I need some help to configure a secure network on my Xen server. I
> > have been looking online and it seems a I need a routed network. But
> I
> > am having a terrible time implementing it.
> >
> > My setup:
> >
> > Xen 3.4.2
> > CentOS 5.5 Dom0
> > 1 NIC (eth0)
> > All guests will be HVM
> >
> > What I want to do is something similar to a firewall and port
> > forwarding.
> >
> > e.g.
> >
> > DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > etc.
> >
> > Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> > 443 to 10.0.0.50
> > Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> > 80 + 443 to 10.0.0.60
> > etc.
> >
> > Ideally, the main network card will have a bunch of public IPs that
> > will individually route to internal DomU systems that have private
> IP
> > addresses.
>
> So the terms your are searching are SNAT and DNAT. i would't recommend
> pure Portforwarding, since it seems to much fiddling, which each
> individual port.
>
> Use SNAT and DNAT in Dom0 and protect your domU by simple
> Port-Filter...
>
> >
> > I also need to prevent a DomU from: a) stealing other IPs
>
> this is simple:
>
> vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]
>
> > and b) communicating with other private systems unless Dom0 sais ok.
>
> 1) Each domU has its own Bridge
> or
> 2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0
>
> > Right now, I do not need to have DomU on different physical servers
> > sharing same network - what open vswitch provides as I understand it
> -
> > that's phase 2. But of course if it provides what I need above
> easily,
> > then I'm for it.
>
> No Need for openvSwitch - can be easily accomplished with simple
> Unix-Tools ;-)
>
> >
> > What do I need? I know how to accomplish most of it using real
> > hardware with firewalls, vlans, etc.
>
> Just ask aunt google for help, e.g.
> http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/
>
> seems sufficient for your needs.
>
> >
> > I am fairly new to Xen so please, if possible, provide examples.
> >
> > Alexander Zherdev
> > azherdev@xxxxxxxxx
>
> hth,
>
>
> thomas
>
>
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|