Hi, I have a machine at a co-lo, and I want to run xen on it, to host a few virtual servers, so that I can isolate a few misbehaving applications from each other. Unlike most of the examples I have seen on the net, I do *not* make the virtual machines visible on the net. I do not have enough public IP addresses for them, and anyway. Instead, I will be having an apache installation on the main machine, proxying requests to the various virtual machines, depending on the domain name. I may also want to add an iptables rule to forward some unlikely port on the host machine to 22 on the various virtual machines. I would like to create a virtual, very local, network. Say 192.168.19.x, and have a bridge for that, all inside the main machine, without any connection to the main machine''s eth0 or eth1 (it has two, both with a real ip address), so that the main machine (192.168.19.1) can talk to the virtual machines at 182.168.19.2 (etc). I have tried to look at http://wiki.xensource.com/xenwiki/XenNetworking but frankly so far I have not gained very much understanding. I guess I can configure the interfaces with standard linux tools, but how to set up the bridge? Do some of the provided examples already do this? I am not too sure. I am working on Debian/Etch, in case it makes any difference. I would appreciate if anyone could share such a config setting, and/or explain how it should be set up. Heikki Levanto sysadmin, Index Data -- Heikki Levanto heikki at indexdata dot dk "In Murphy We Turst" _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Sorry, I was too quick to ask. I found out that the vif-nat thing does almost exactly what I need http://www.howtoforge.com/debian_etch_xen_3.1_p4 I still can''t get out of that box to the big internet, but I suspect that is a problem with my own firewall script. - Heikki -- Heikki Levanto heikki at indexdata dot dk "In Murphy We Turst" _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi> I still can''t get out of that box to the big internet, but I suspect > > that is a problem with my own firewall script. > > >Have you got this enabled? echo 1 > /proc/sys/net/ipv4/ip_forward Also some urls i found useful in this department if they help. http://wiki.kartbuilding.net/index.php/Xen_Networking http://www.linuxhorizon.ro/vlans.html Regards. Geoff Heikki Levanto wrote:> Sorry, I was too quick to ask. I found out that the vif-nat thing does > almost exactly what I need > http://www.howtoforge.com/debian_etch_xen_3.1_p4 > > I still can''t get out of that box to the big internet, but I suspect > that is a problem with my own firewall script. > > - Heikki > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi again, Sorry i meant to give this link not the vlans one. http://renial.net/weblog/2007/02/27/xen-vlan/ regards. Geoff Geoff Kirk wrote:> Hi > >> I still can''t get out of that box to the big internet, but I suspect >> that is a problem with my own firewall script. >> > Have you got this enabled? > > echo 1 > /proc/sys/net/ipv4/ip_forward > > Also some urls i found useful in this department if they help. > > http://wiki.kartbuilding.net/index.php/Xen_Networking > > http://www.linuxhorizon.ro/vlans.html > > Regards. > > Geoff > > > Heikki Levanto wrote: >> Sorry, I was too quick to ask. I found out that the vif-nat thing does >> almost exactly what I need >> http://www.howtoforge.com/debian_etch_xen_3.1_p4 >> >> I still can''t get out of that box to the big internet, but I suspect >> that is a problem with my own firewall script. >> >> - Heikki >> >> > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Oct 04, 2007 at 03:47:00PM +0100, Geoff Kirk wrote:> Hi > > >I still can''t get out of that box to the big internet, but I suspect > > > >that is a problem with my own firewall script. > > > > > > > Have you got this enabled? > > echo 1 > /proc/sys/net/ipv4/ip_forwardRight, you need this and probably also: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Don''t forgot to deactivate your firewall during the test to ensure it''s not a wrong firewall configuration which prevents you from accessing the internet. Jens _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Thu, Oct 04, 2007 at 05:04:22PM +0200, Jens Seidel wrote:> On Thu, Oct 04, 2007 at 03:47:00PM +0100, Geoff Kirk wrote: > > Have you got this enabled? > > echo 1 > /proc/sys/net/ipv4/ip_forwardYes. I even checked it, and it really is there!> Right, you need this and probably also: > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEThat seems to come automagically when the vm is started. But I am adding it in my firewall script all the same, except that I do not limit with -o eth0, but with -s 10.0.0.0/8. I''ll try the -o instead.> Don''t forgot to deactivate your firewall during the test to ensure it''s > not a wrong firewall configuration which prevents you from accessing the > internet.Yes, I try that every now and then. Not too long, as the box is on the big, bad internet... Thanks for your help! -H -- Heikki Levanto heikki at indexdata dot dk "In Murphy We Turst" _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users