Hi Again,
just a short step-by-step guide.
Am Dienstag, den 26.10.2010, 23:54 -0700 schrieb Alexander Zherdev:
> Pardon my long email below, I hope it will shed some light.
>
> I've googled and tried various things but nothing seem to work. I have
> upgraded to 3.4.3 of Xen and the kernel had an update too.
so u had a lot of fun ;-)
> My brain is fried right now. The only thing that seems to work is
> bridged mode. In bridged mode, my DomU gets the DHCP from dnsmasq and
> it can then surf the web. But I can't get to it from outside. In route
> or nat mode, the DomU can't even get out. Below is a test in NAT mode
> of xend.
Dont use NAT - its just MASQUERADING! Communication from internet would
be only possible through portforwarding....
> Below I have a pretty verbose output of iptables, ip r, and ifconfig
> right after I boot the physical server, then after I start the DomU,
> and then after I apply the SNAT and DNAT settings (only ip r changes
> then).
>
> I appreciate any help that you have.
>
> -----------------------------
>
> Kernel: 2.6.18-194.17.4.el5xen
> Xen: 3.4.3
> Source: www.gitco.de
>
> /etc/xen/xend-config.sxp
> (network-nat)
> (vif-nat)
Please do the following.
- Disable default Firewall (only to get ur setup running)
# service iptables off
- Write down a ugly script, something like:
#!/bin/bash
# i used /27 since your public-net was /27 too
# 192.168.128.65 is dom0-IP
brctl addbr xen-privatelan
ip a a 192.168.128.65/27 dev xen-privatelan
ifconfig xen-privatelan up
echo 1 > /proc/sys/net/ipv4/ip_forward
- and save it e.g. to
/etc/xen/scripts/network-mynet
- make it executable
chmod +x /etc/xen/scripts/network-mynet
- change any kind of xen-networking-script to e.g.
...
(network-script network-mynet)
(vif-script vif-bridge)
.....
######## reboot ur dom0 #####################
After reboot setup your windows-box to use the bridge "xen-privatelan"
- change domU.cfg
...
vif = [ 'type=ioemu, bridge=xen-privatelan, mac=00:16:3e:00:01:02' ]
.....
- start ur domU
- setup nw-settings in domU (192.168.128.70/27 gw: 192.168.128.65)
^^^^ dom0-IP
- at this point u should be able to ping dom0 from ur domU!
access to internet and from internet to domU should NOT work
Otherwise triplecheck "brctl show", ip r s, and friends...
- Setup "1:1-NAT"
iptables -t nat -A PREROUTING -d XXX.XXX.XXX.70 -j DNAT
--to-destination 192.168.128.70
iptables -t nat -A POSTROUTING -s 192.168.128.70 -j SNAT --to-source
XXX.XXX.XXX.70
--> domU has internal IP 192.168.128.70 and is reachable via externalIP
XXX.XXX.XXX.70
--> domU should be able to ping the "internet"
--> domU should be available from "internet" trough XXX.XXX.XXX.70
Am i right? :-)
cu,
thomas
> Attempted the SNAT/DNAT configuration using this:
>
> iptables -t nat -A PREROUTING -i eth0 -d XXX.XXX.XXX.70 -j DNAT
> --to-destination 192.168.122.150
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.122.150 -j SNAT
> --to-source XXX.XXX.XXX.70
> route add -host XXX.XXX.XXX.70 vif1.0
> arp -Ds XXX.XXX.XXX.70 vif1.0
> -> SIOCSARP: Invalid argument
>
> Windows Configuration
> DHCP
> IP 192.168.122.150
> MS 255.255.255.0
> GW 192.168.122.1
>
> CLEAN BOOT ------------------------------------
>
> ifconfig
> eth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet addr:XXX.XXX.XXX.67 Bcast:XXX.XXX.XXX.95
> Mask:255.255.255.224
> inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> eth0:1 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet addr:XXX.XXX.XXX.70 Bcast:XXX.XXX.XXX.95
> Mask:255.255.255.224
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
>
> peth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> Memory:fafe0000-fb000000
>
> virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
> inet addr:192.168.122.1 Bcast:192.168.122.255
> Mask:255.255.255.0
> inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
>
> iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:bootps
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere 192.168.122.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> ip r
> XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src
> XXX.XXX.XXX.67
> 192.168.122.0/24 dev virbr0 proto kernel scope link src
> 192.168.122.1
> 169.254.0.0/16 dev eth0 scope link
> default via XXX.XXX.XXX.65 dev eth0
>
> /etc/dnsmasq.conf
> dhcp-range=192.168.122.10,192.168.122.250,255.255.255.0,12h
> dhcp-host=00:16:3e:00:01:02,192.168.122.150
>
> /vm/cfg/vm-000002/vm-000002.xen
> import os, re
> arch = os.uname()[4]
> if re.search('64', arch):
> arch_libdir = 'lib64'
> else:
> arch_libdir = 'lib'
>
> kernel = "/usr/lib/xen/boot/hvmloader"
> builder='hvm'
> memory = 8192
> name = "vm-app-1a"
> uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E"
>
> vcpus = 2
> pae = 1
> acpi = 1
> apic = 1
> cpus = "2-7"
> vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02,
> ip=192.168.122.150' ]
>
> disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ]
>
> on_poweroff = 'destroy'
> on_reboot = 'restart'
> on_crash = 'restart'
>
> device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
> boot = "c"
>
> sdl=0
> vnc=1
> vnclisten="XXX.XXX.XXX.67"
> vncpasswd='vnc'
> stdvga=0
> serial='pty'
> usbdevice='tablet'
>
>
>
> AFTER VM CREATED ------------------------------------
>
>
>
>
> ifconfig
> eth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet addr:XXX.XXX.XXX.67 Bcast:XXX.XXX.XXX.95
> Mask:255.255.255.224
> inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> eth0:1 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet addr:XXX.XXX.XXX.70 Bcast:XXX.XXX.XXX.95
> Mask:255.255.255.224
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
>
> peth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E
> inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> Memory:fafe0000-fb000000
>
> tap1.0 Link encap:Ethernet HWaddr 2E:59:30:A2:97:17
> inet6 addr: fe80::2c59:30ff:fea2:9717/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
> inet addr:192.168.122.21 Bcast:0.0.0.0
> Mask:255.255.255.255
> UP BROADCAST MULTICAST MTU:1500 Metric:1
>
> virbr0 Link encap:Ethernet HWaddr 2E:59:30:A2:97:17
> inet addr:192.168.122.1 Bcast:192.168.122.255
> Mask:255.255.255.0
> inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>
> iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:domain
> ACCEPT udp -- anywhere anywhere udp
> dpt:bootps
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:bootps
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0
> ACCEPT udp -- anywhere anywhere
> PHYSDEV match --physdev-in vif1.0 udp spt:bootpc dpt:bootps
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0
> ACCEPT all -- 192.168.122.150 anywhere
> PHYSDEV match --physdev-in vif1.0
> ACCEPT all -- anywhere 192.168.122.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 192.168.122.0/24 anywhere
> ACCEPT all -- anywhere anywhere
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
> REJECT all -- anywhere anywhere
> reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> ip r
> 192.168.122.150 dev vif1.0 scope link src 192.168.122.21
> XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src
> XXX.XXX.XXX.67
> 192.168.122.0/24 dev virbr0 proto kernel scope link src
> 192.168.122.1
> 169.254.0.0/16 dev eth0 scope link
> default via XXX.XXX.XXX.65 dev eth0
>
>
> AFTER SNAT/DNAT -----------------------------
>
> 192.168.122.150 dev vif1.0 scope link src 192.168.122.21
> XXX.XXX.XXX.70 dev vif1.0 scope link
> XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src
> XXX.XXX.XXX.67
> 192.168.122.0/24 dev virbr0 proto kernel scope link src
> 192.168.122.1
> 169.254.0.0/16 dev eth0 scope link
> default via XXX.XXX.XXX.65 dev eth0
>
>
>
>
> Alexander Zherdev
> azherdev@xxxxxxxxx
>
>
>
>
> ______________________________________________________________________
> From: Thomas Halinka <lists@xxxxxxxxx>
> To: Alexander Zherdev <azherdev@xxxxxxxxx>
> Cc: xen-users@xxxxxxxxxxxxxxxxxxx
> Sent: Tue, October 26, 2010 9:59:06 AM
> Subject: Re: [Xen-users] Xen 3.4.2 networking help
>
> Hi Alexander,
>
> Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev:
> > (If this is a double post, I apologize, my email client crashed when
> I
> > first sent it)
> >
> > I need some help to configure a secure network on my Xen server. I
> > have been looking online and it seems a I need a routed network. But
> I
> > am having a terrible time implementing it.
> >
> > My setup:
> >
> > Xen 3.4.2
> > CentOS 5.5 Dom0
> > 1 NIC (eth0)
> > All guests will be HVM
> >
> > What I want to do is something similar to a firewall and port
> > forwarding.
> >
> > e.g.
> >
> > DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign
> same
> > address and simplifies in creating templates)
> > etc.
> >
> > Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 +
> > 443 to 10.0.0.50
> > Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 +
> > 80 + 443 to 10.0.0.60
> > etc.
> >
> > Ideally, the main network card will have a bunch of public IPs that
> > will individually route to internal DomU systems that have private
> IP
> > addresses.
>
> So the terms your are searching are SNAT and DNAT. i would't recommend
> pure Portforwarding, since it seems to much fiddling, which each
> individual port.
>
> Use SNAT and DNAT in Dom0 and protect your domU by simple
> Port-Filter...
>
> >
> > I also need to prevent a DomU from: a) stealing other IPs
>
> this is simple:
>
> vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ]
>
> > and b) communicating with other private systems unless Dom0 sais ok.
>
> 1) Each domU has its own Bridge
> or
> 2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0
>
> > Right now, I do not need to have DomU on different physical servers
> > sharing same network - what open vswitch provides as I understand it
> -
> > that's phase 2. But of course if it provides what I need above
> easily,
> > then I'm for it.
>
> No Need for openvSwitch - can be easily accomplished with simple
> Unix-Tools ;-)
>
> >
> > What do I need? I know how to accomplish most of it using real
> > hardware with firewalls, vlans, etc.
>
> Just ask aunt google for help, e.g.
> http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/
>
> seems sufficient for your needs.
>
> >
> > I am fairly new to Xen so please, if possible, provide examples.
> >
> > Alexander Zherdev
> > azherdev@xxxxxxxxx
>
> hth,
>
>
> thomas
>
>
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
>
>
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home