WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-users] Xen 3.4.2 networking help

from [Felix Kuperjans] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Xen 3.4.2 networking help
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Oct 2010 19:43:21 +0200
Delivery-date: Wed, 27 Oct 2010 10:45:30 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <865472.89218.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101025 Lanikai/3.1.5
Hi Jonathan,

I think a routed setup should suit your targets best, because you do not relay on LAN (i.e. Broadcasts, ARP) traffic between your DomUs if you are setting up a hosting server.

Actually I never used the default Xen scripts, because they seem to be rather broken / hard to use.

Some background:
  • Routing and Nat are actually no real different network scenario, NAT involves routing. The big difference is how the external ip addresses are handled:
    • NAT can be used to share one external ip address between multiple DomU's or to use the host's address for outbound traffic. You probably don't want that.
    • Pure routing requires a unique destination per ip address, i.e. the ip addresses that are used for the DomUs may only be used by a single DomU and they must *not* be used by the dom0 itself.
  • Setting up routing involves knowledge about: Routes, Subnets, ARP and Gateways. If you are unsure about any of these terms, you should do some research.
To start building up a routing script, all you need to do is:
  • A network script that enables ip forwarding in the kernel (the network-route script works fine in this way)
  • First start with a firewall-less test network to ensure the traffic is forwarded correctly (of course it must be a safe network, not already the Internet). Debugging routing problems gets lots harder when iptables is involved.
  • Write your own vif-script that basically does the following: Add the Dom0's gateway address (that will be configured as gateway in the DomU) to the vif and add a route to the DomU's ip address on that device. *Do not add* the DomU's address to the interface or to any other interface on the Dom0!
  • Use iproute2, i.e. /sbin/ip for everything; old utilities as ifconfig, route, etc work but are really pain (and do not supply all features).
If you got a working network configuration on the DomUs, you can start using iptables (iptables configuration gets easier if the setup is routed, because there is no bridge that forwards traffic by default. So traffic will only walk on your routes and you just have to accept everything that is sane, i.e. correct source ip / ethernet address, valid target, etc).

Regards,
Felix

Am 26.10.2010 18:44, schrieb Alexander Zherdev:
(If this is a double post, I apologize, my email client crashed when I first sent it)

I need some help to configure a secure network on my Xen server. I have been looking online and it seems a I need a routed network. But I am having a terrible time implementing it.

My setup:

Xen 3.4.2
CentOS 5.5 Dom0
1 NIC (eth0)
 All guests will be HVM

What I want to do is something similar to a firewall and port forwarding.

e.g.

DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same address and simplifies in creating templates)
DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same address and simplifies in creating templates)
etc.

Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 + 443 to 10.0.0.50
Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 + 80 + 443 to 10.0.0.60
etc.

Ideally, the main network card will have a bunch of public IPs that will individually route to internal DomU systems that have private IP addresses.

I also need to prevent a DomU from: a) stealing other IPs and b) communicating with other private systems unless Dom0 sais ok.
Right now, I do not need to have DomU on different physical servers sharing same network - what open vswitch provides as I understand it - that's phase 2. But of course if it provides what I need above easily, then I'm for it.

What do I need? I know how to accomplish most of it using real hardware with firewalls, vlans, etc.

I am fairly new to Xen so please, if possible, provide examples.
 
Alexander Zherdev
azherdev@xxxxxxxxx

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-users] xen, openSUSE can not provide USB support my Windows XP guest HVM domain, Ervin Novak
Next by Date:  Re: [Xen-users] SW RAID powered Xen node - knowledgeable feedback much needed, Bart Coninckx
Previous by Thread:  Re: [Xen-users] Xen 3.4.2 networking help, Alexander Zherdev
Next by Thread:  [Xen-users] SW RAID powered Xen node - knowledgeable feedback much needed, office
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy