Das HowTo-Wiki|
Größe: 1917
Kommentar: pictures uploaded
|
Größe: 1861
Kommentar: Format
|
| Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
| Zeile 1: | Zeile 1: |
| ||<tablestyle="float:right;"> '''Table of contents'''[[TableOfContents]] || | [[TableOfContents]] |
What is it about
The following short howto describes the setup of a xen installation with following properties:
- the host domU is isolated from the domUs
- a firewall in dom1 manages the traffic from domUs to the internet
- the domUs share a bridged network interface
What is the problem?
Maybe you would like to accomplish the previously described setup by using dom0 as the routing firewall?
It could look like the following:BR attachment:xen-network-not-working.png (dia source: attachment:xen-network-not-working.dia)
I tried hard to get this setup running, but a problem of iptables with the xen network bridge rendered this approach impossible.
What went wrong?
the traffic originating from the bridge xenbr0 should get forwared to eth in dom0
- the problem: the masquerading iptables rules failed to change the source address of the packets - thus the packets had an invalid return path
Symptoms
pings from domUs reach the external router, but the source address is 10.0.1.x instead of 192.168.1.2 (as it should be)
Root cause
the packets are treated as IN=xenbr0 (which is ok) and OUT=xenbr0 (this should be eth0 instead)
despite this wrong attributes, the packets still get sent via eth0 (as they should)
even more mysterious: after adding a masqerading rule that would also match packets marked as OUT=xenbr0, the packets do not even reach eth0 anymore
How it can be done
The following picture describes a setup that avoids the previously described problem, since there are no bridges configured in dom1.
attachment:xen-network-two-bridges.png (dia source: attachment:xen-network-two-bridges.dia)
The configuration details (xen and shorewall configuration files) will follow soon ...
