Das HowTo-Wiki|
Größe: 2529
Kommentar: links
|
Größe: 2708
Kommentar: more links
|
| Gelöschter Text ist auf diese Art markiert. | Hinzugefügter Text ist auf diese Art markiert. |
| Zeile 46: | Zeile 46: |
| * xen network overview: http://wiki.xensource.com/xenwiki/XenNetworking | |
| Zeile 49: | Zeile 50: |
| * using multiple bridges for separate domU networks: http://www.debian-administration.org/articles/470 |
What is it about
The following short howto describes the setup of a xen installation with following properties:
- the host domU is isolated from the domUs
- a firewall in dom1 manages the traffic from domUs to the internet
- the domUs share a bridged network interface
What is the problem?
Maybe you would like to accomplish the previously described setup by using dom0 as the routing firewall?
It could look like the following:BR attachment:xen-network-not-working.png (dia source: attachment:xen-network-not-working.dia)
I tried hard to get this setup running, but a problem of iptables with the xen network bridge rendered this approach impossible.
What went wrong?
the traffic originating from the bridge xenbr0 should get forwared to eth in dom0
- the problem: the masquerading iptables rules failed to change the source address of the packets - thus the packets had an invalid return path
Symptoms
pings from domUs reach the external router, but the source address is 10.0.1.x instead of 192.168.1.2 (as it should be)
Root cause
the packets are treated as IN=xenbr0 (which is ok) and OUT=xenbr0 (this should be eth0 instead)
despite this wrong attributes, the packets still get sent via eth0 (as they should)
even more mysterious: after adding a masqerading rule that would also match packets marked as OUT=xenbr0, the packets do not even reach eth0 anymore
Other reports
In the [http://www.shorewall.net/Xen.html shorewall howtos] you can find the following:
I know of no case where a user has successfully used NAT (including Masquerade) in a bridged Xen Dom0. So if you want to create a masquerading firewall/gateway using Xen, you need to do so in a DomU (see how I did it) or you must configure Xen to use routing or NAT rather than the default bridging.
How it can be done
The following picture describes a setup that avoids the previously described problem, since there are no bridges configured in dom1.
attachment:xen-network-two-bridges.png (dia source: attachment:xen-network-two-bridges.dia)
The configuration details (xen and shorewall configuration files) will follow soon ...
Links
xen network overview: http://wiki.xensource.com/xenwiki/XenNetworking
shorewall firewall setup for xen: http://www.shorewall.net/Xen.html
bridged firewall in domU: http://www.shorewall.net/XenMyWay.html
routed firewall in dom0: http://www.shorewall.net/XenMyWay-Routed.html
using multiple bridges for separate domU networks: http://www.debian-administration.org/articles/470
