WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Xen 3.4.2 networking help

Hi Alexander,

Am Dienstag, den 26.10.2010, 22:12 -0700 schrieb Alexander Zherdev:
> Thank you Thomas,
> 
> Few followup questions:
> 
> 1. Which network mode is best for this configuration? bridge, route,
> nat?

bridged-setup

> 2. On my box, when I specified the IP in the vif section, it didn't
> prevent anything nor did it assign that IP. I am booting into Windows
> 2003 and 2008 DomU. 

Oh, you didnt say ur using HVM....

> The only way that I found that I can have Dom0 dictate the IP of the
> DomU was to enable DHCP on the dnsmasq service in Dom0 and map the MAC
> to IP on it. Still didn't prevent the Windows user from assigning a
> static IP of their choice and being able to communicate between
> systems on the bridge and outside.

the ip-statement only works with pv-domains...
> 
> Is this a limitation of Windows or HVM or is something mis-configured
> on my end?

hvm.

> 
> Here is my config of the W2K3 DomU:
> 
> 
> import os, re
> arch = os.uname()[4]
> if re.search('64', arch):
>     arch_libdir = 'lib64'
> else:
>     arch_libdir = 'lib'
> 
> kernel = "/usr/lib/xen/boot/hvmloader"
> builder='hvm'
> memory = 8192
> name = "vm-app-1a"
> uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E"
> 
> vcpus = 2
> pae = 1
> acpi = 1
> apic = 1
> cpus = "2-7"
> 
> vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02,
> ip=192.168.122.150' ]
> 
> disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ]
> 
> on_poweroff = 'destroy'
> on_reboot = 'restart'
> on_crash = 'restart'
> 
> device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
> boot = "c"
> 
> sdl=0
> vnc=1
> vnclisten="10.20.30.40"
> vncpasswd='vncpass'
> stdvga=0
> serial='pty'
> usbdevice='tablet'
> 
> 
> 
> 
> Alexander Zherdev
> azherdev@xxxxxxxxx
> 
> 
> 
> 
> ______________________________________________________________________
> From: Thomas Halinka <lists@xxxxxxxxx>
> To: Alexander Zherdev <azherdev@xxxxxxxxx>
> Cc: xen-users@xxxxxxxxxxxxxxxxxxx
> Sent: Tue, October 26, 2010 9:59:06 AM
> Subject: Re: [Xen-users] Xen 3.4.2 networking help
> 
> Hi Alexander,
> 
> Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> > (If this is a double post, I apologize, my email client crashed when
> I
> > first sent it)
> > 
> > I need some help to configure a secure network on my Xen server. I
> > have been looking online and it seems a I need a routed network. But
> I
> > am having a terrible time implementing it.
> > 
> > My setup:
> > 
> > Xen 3.4.2
> > CentOS 5.5 Dom0
> > 1 NIC (eth0)
> >  All guests will be HVM
> > 
> > What I want to do is something similar to a firewall and port
> > forwarding.
> > 
> > e.g.
> > 
> > DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > etc.
> > 
> > Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> > 443 to 10.0.0.50
> > Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> > 80 + 443 to 10.0.0.60
> > etc.
> > 
> > Ideally, the main network card will have a bunch of public IPs that
> > will individually route to internal DomU systems that have private
> IP
> > addresses.
> 
> So the terms your are searching are SNAT and DNAT. i would't recommend
> pure Portforwarding, since it seems to much fiddling, which each
> individual port.
> 
> Use SNAT and DNAT in Dom0 and protect your domU by simple
> Port-Filter...
> 
> > 
> > I also need to prevent a DomU from: a) stealing other IPs 
> 
> this is simple:
> 
> vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]
> 
> > and b) communicating with other private systems unless Dom0 sais ok.
> 
> 1) Each domU has its own Bridge
> or
> 2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0
> 
> > Right now, I do not need to have DomU on different physical servers
> > sharing same network - what open vswitch provides as I understand it
> -
> > that's phase 2. But of course if it provides what I need above
> easily,
> > then I'm for it.
> 
> No Need for openvSwitch - can be easily accomplished with simple
> Unix-Tools ;-)
> 
> > 
> > What do I need? I know how to accomplish most of it using real
> > hardware with firewalls, vlans, etc.
> 
> Just ask aunt google for help, e.g.
> http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/
> 
> seems sufficient for your needs.
> 
> > 
> > I am fairly new to Xen so please, if possible, provide examples.
> >  
> > Alexander Zherdev
> > azherdev@xxxxxxxxx
> 
> hth,
> 
> 
> thomas
> 
> 
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users