|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-users] Xen 3.4.2 networking help
Pardon my long email below, I hope it will shed some light. I've googled and tried various things but nothing seem to work. I have upgraded to 3.4.3 of Xen and the kernel had an update too. My brain is fried right now. The only thing that seems to work is bridged mode. In bridged mode, my DomU gets the DHCP from dnsmasq and it can then surf the web. But I can't get to it from outside. In route or nat mode, the DomU can't even get out. Below is a test in NAT mode of xend. Below I have a pretty verbose output of iptables, ip r, and ifconfig right after I boot the physical server, then after I start the DomU, and then after I apply the SNAT and DNAT settings (only ip r changes then). I appreciate any help that you have. ----------------------------- Kernel: 2.6.18-194.17.4.el5xen Xen: 3.4.3 Source: www.gitco.de /etc/xen/xend-config.sxp (network-nat) (vif-nat) Attempted the SNAT/DNAT configuration using this: iptables -t nat -A PREROUTING -i eth0 -d XXX.XXX.XXX.70 -j DNAT --to-destination 192.168.122.150 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.122.150 -j SNAT --to-source XXX.XXX.XXX.70 route add -host XXX.XXX.XXX.70 vif1.0 arp -Ds XXX.XXX.XXX.70 vif1.0 -> SIOCSARP: Invalid argument Windows Configuration DHCP IP 192.168.122.150 MS 255.255.255.0 GW 192.168.122.1 CLEAN BOOT ------------------------------------ ifconfig eth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet addr:XXX.XXX.XXX.67 Bcast:XXX.XXX.XXX.95 Mask:255.255.255.224 inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:1 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet addr:XXX.XXX.XXX.70 Bcast:XXX.XXX.XXX.95 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 peth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Memory:fafe0000-fb000000 virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ip r XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src XXX.XXX.XXX.67 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 169.254.0.0/16 dev eth0 scope link default via XXX.XXX.XXX.65 dev eth0 /etc/dnsmasq.conf dhcp-range=192.168.122.10,192.168.122.250,255.255.255.0,12h dhcp-host=00:16:3e:00:01:02,192.168.122.150 /vm/cfg/vm-000002/vm-000002.xen import os, re arch = os.uname()[4] if re.search('64', arch): arch_libdir = 'lib64' else: arch_libdir = 'lib' kernel = "/usr/lib/xen/boot/hvmloader" builder='hvm' memory = 8192 name = "vm-app-1a" uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E" vcpus = 2 pae = 1 acpi = 1 apic = 1 cpus = "2-7" vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02, ip=192.168.122.150' ] disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ] device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm' boot = "c" sdl=0 vnc=1 vnclisten="XXX.XXX.XXX.67" vncpasswd='vnc' stdvga=0 serial='pty' usbdevice='tablet' AFTER VM CREATED ------------------------------------ ifconfig eth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet addr:XXX.XXX.XXX.67 Bcast:XXX.XXX.XXX.95 Mask:255.255.255.224 inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:1 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet addr:XXX.XXX.XXX.70 Bcast:XXX.XXX.XXX.95 Mask:255.255.255.224 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 peth0 Link encap:Ethernet HWaddr 00:25:90:1B:E6:7E inet6 addr: fe80::225:90ff:fe1b:e67e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Memory:fafe0000-fb000000 tap1.0 Link encap:Ethernet HWaddr 2E:59:30:A2:97:17 inet6 addr: fe80::2c59:30ff:fea2:9717/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet addr:192.168.122.21 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST MULTICAST MTU:1500 Metric:1 virbr0 Link encap:Ethernet HWaddr 2E:59:30:A2:97:17 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif1.0 udp spt:bootpc dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif1.0 ACCEPT all -- 192.168.122.150 anywhere PHYSDEV match --physdev-in vif1.0 ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ip r 192.168.122.150 dev vif1.0 scope link src 192.168.122.21 XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src XXX.XXX.XXX.67 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 169.254.0.0/16 dev eth0 scope link default via XXX.XXX.XXX.65 dev eth0 AFTER SNAT/DNAT ----------------------------- 192.168.122.150 dev vif1.0 scope link src 192.168.122.21 XXX.XXX.XXX.70 dev vif1.0 scope link XXX.XXX.XXX.64/27 dev eth0 proto kernel scope link src XXX.XXX.XXX.67 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 169.254.0.0/16 dev eth0 scope link default via XXX.XXX.XXX.65 dev eth0 Alexander Zherdev azherdev@xxxxxxxxx From: Thomas Halinka <lists@xxxxxxxxx> To: Alexander Zherdev <azherdev@xxxxxxxxx> Cc: xen-users@xxxxxxxxxxxxxxxxxxx Sent: Tue, October 26, 2010 9:59:06 AM Subject: Re: [Xen-users] Xen 3.4.2 networking help Hi Alexander, Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev: > (If this is a double post, I apologize, my email client crashed when I > first sent it) > > I need some help to configure a secure network on my Xen server. I > have been looking online and it seems a I need a routed network. But I > am having a terrible time implementing it. > > My setup: > > Xen 3.4.2 > CentOS 5.5 Dom0 > 1 NIC (eth0) > All guests will be HVM > > What I want to do is something similar to a firewall and port > forwarding. > > e.g. > > DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign same > address and simplifies in creating templates) > DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign same > address and simplifies in creating templates) > etc. > > Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 + > 443 to 10.0.0.50 > Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 + > 80 + 443 to 10.0.0.60 > etc. > > Ideally, the main network card will have a bunch of public IPs that > will individually route to internal DomU systems that have private IP > addresses. So the terms your are searching are SNAT and DNAT. i would't recommend pure Portforwarding, since it seems to much fiddling, which each individual port. Use SNAT and DNAT in Dom0 and protect your domU by simple Port-Filter... > > I also need to prevent a DomU from: a) stealing other IPs this is simple: vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ] > and b) communicating with other private systems unless Dom0 sais ok. 1) Each domU has its own Bridge or 2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0 > Right now, I do not need to have DomU on different physical servers > sharing same network - what open vswitch provides as I understand it - > that's phase 2. But of course if it provides what I need above easily, > then I'm for it. No Need for openvSwitch - can be easily accomplished with simple Unix-Tools ;-) > > What do I need? I know how to accomplish most of it using real > hardware with firewalls, vlans, etc. Just ask aunt google for help, e.g. http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/ seems sufficient for your needs. > > I am fairly new to Xen so please, if possible, provide examples. > > Alexander Zherdev > azherdev@xxxxxxxxx hth, thomas > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |