Xen project Mailing List

Re: [Xen-users] Xen 3.4.2 networking help

To: Alexander Zherdev <azherdev@xxxxxxxxx>

From: Thomas Halinka <lists@xxxxxxxxx>

Date: Wed, 27 Oct 2010 11:10:01 +0200

Delivery-date: Wed, 27 Oct 2010 02:10:57 -0700

List-id: Xen user discussion <xen-users.lists.xensource.com>

Hi Alexander, Am Dienstag, den 26.10.2010, 22:12 -0700 schrieb Alexander Zherdev: > Thank you Thomas, > > Few followup questions: > > 1. Which network mode is best for this configuration? bridge, route, > nat? bridged-setup > 2. On my box, when I specified the IP in the vif section, it didn't > prevent anything nor did it assign that IP. I am booting into Windows > 2003 and 2008 DomU. Oh, you didnt say ur using HVM.... > The only way that I found that I can have Dom0 dictate the IP of the > DomU was to enable DHCP on the dnsmasq service in Dom0 and map the MAC > to IP on it. Still didn't prevent the Windows user from assigning a > static IP of their choice and being able to communicate between > systems on the bridge and outside. the ip-statement only works with pv-domains... > > Is this a limitation of Windows or HVM or is something mis-configured > on my end? hvm. > > Here is my config of the W2K3 DomU: > > > import os, re > arch = os.uname()[4] > if re.search('64', arch): > arch_libdir = 'lib64' > else: > arch_libdir = 'lib' > > kernel = "/usr/lib/xen/boot/hvmloader" > builder='hvm' > memory = 8192 > name = "vm-app-1a" > uuid = "C37B45AE-62E3-4034-BAD6-D0D3E127333E" > > vcpus = 2 > pae = 1 > acpi = 1 > apic = 1 > cpus = "2-7" > > vif = [ 'type=ioemu, bridge=virbr0, mac=00:16:3e:00:01:02, > ip=192.168.122.150' ] > > disk = [ 'phy:/dev/vg00/vm-000002-0,hda,w' ] > > on_poweroff = 'destroy' > on_reboot = 'restart' > on_crash = 'restart' > > device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm' > boot = "c" > > sdl=0 > vnc=1 > vnclisten="10.20.30.40" > vncpasswd='vncpass' > stdvga=0 > serial='pty' > usbdevice='tablet' > > > > > Alexander Zherdev > azherdev@xxxxxxxxx > > > > > ______________________________________________________________________ > From: Thomas Halinka <lists@xxxxxxxxx> > To: Alexander Zherdev <azherdev@xxxxxxxxx> > Cc: xen-users@xxxxxxxxxxxxxxxxxxx > Sent: Tue, October 26, 2010 9:59:06 AM > Subject: Re: [Xen-users] Xen 3.4.2 networking help > > Hi Alexander, > > Am Dienstag, den 26.10.2010, 09:44 -0700 schrieb Alexander Zherdev: > > (If this is a double post, I apologize, my email client crashed when > I > > first sent it) > > > > I need some help to configure a secure network on my Xen server. I > > have been looking online and it seems a I need a routed network. But > I > > am having a terrible time implementing it. > > > > My setup: > > > > Xen 3.4.2 > > CentOS 5.5 Dom0 > > 1 NIC (eth0) > > All guests will be HVM > > > > What I want to do is something similar to a firewall and port > > forwarding. > > > > e.g. > > > > DomU.1 has DHCP address of 10.0.0.50 (DHCP matches MAC to assign > same > > address and simplifies in creating templates) > > DomU.2 has DHCP address of 10.0.0.60 (DHCP matches MAC to assign > same > > address and simplifies in creating templates) > > etc. > > > > Dom0 eht0 has public IP of 92.82.72.100 that forwards port 22 + 80 + > > 443 to 10.0.0.50 > > Dom0 eht0 has public IP of 92.82.72.101 that forwards port 21 + 22 + > > 80 + 443 to 10.0.0.60 > > etc. > > > > Ideally, the main network card will have a bunch of public IPs that > > will individually route to internal DomU systems that have private > IP > > addresses. > > So the terms your are searching are SNAT and DNAT. i would't recommend > pure Portforwarding, since it seems to much fiddling, which each > individual port. > > Use SNAT and DNAT in Dom0 and protect your domU by simple > Port-Filter... > > > > > I also need to prevent a DomU from: a) stealing other IPs > > this is simple: > > vif = [ 'ip=10.0.0.50,mac=AA:BB:CC:DD:EE:FF' ] > > > and b) communicating with other private systems unless Dom0 sais ok. > > 1) Each domU has its own Bridge > or > 2) 10.0.0.50/32 and only ONE Route to your GW aka Dom0 > > > Right now, I do not need to have DomU on different physical servers > > sharing same network - what open vswitch provides as I understand it > - > > that's phase 2. But of course if it provides what I need above > easily, > > then I'm for it. > > No Need for openvSwitch - can be easily accomplished with simple > Unix-Tools ;-) > > > > > What do I need? I know how to accomplish most of it using real > > hardware with firewalls, vlans, etc. > > Just ask aunt google for help, e.g. > http://www.adamsinfo.com/full-nat-dnat-and-snat-aka-11-nat-1-to-1-nat/ > > seems sufficient for your needs. > > > > > I am fairly new to Xen so please, if possible, provide examples. > > > > Alexander Zherdev > > azherdev@xxxxxxxxx > > hth, > > > thomas > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@xxxxxxxxxxxxxxxxxxx > > http://lists.xensource.com/xen-users > > > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@xxxxxxxxxxxxxxxxxxx > http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.