ContentTableOfContents |
What is it about
The following short howto describes the setup of a xen installation with following properties:
- the host domU is isolated from the domUs
- a firewall in dom1 manages the traffic from domUs to the internet
- the domUs share a bridged network interface
What is the problem?
Maybe you would like to accomplish the previously described setup by using dom0 as the routing firewall? It could look like the following:
I tried hard to get this setup running, but a problem of iptables with the xen network bridge rendered this approach impossible.
What went wrong?
the traffic originating from the bridge xenbr0 should get forwared to eth in dom0
- the problem: the masquerading iptables rules failed to change the source address of the packets - thus the packets had an invalid return path
Symptoms:
pings from domUs reach the external router, but the source address is 10.0.1.x instead of 192.168.1.2 (as it should be)
Root cause:
the packets are treated as IN=xenbr0 (which is ok) and OUT=xenbr0 (this should be eth0 instead)
despite this wrong attributes, the packets still get sent via eth0 (as they should)
even more mysterious: after adding a masqerading rule that would also match packets marked as OUT=xenbr0, the packets do not even reach eth0 anymore
How it can be done
The following picture describes a setup that avoids the previously described problem, since there are no bridges configured in dom1.
The configuration details (xen and shorewall configuration files) will follow soon ...