Xen users - Oct 2009 - How to disable the public ip in Dom0 and enable on DomU

Hi All,
i come to you guys due a customization needed on my IT infrastructure.

I have a dedicated physical server (HP Proliant - Ram 12 Gb) where i
configured some virtual machine for web services based .
I would like to make some changes to my current configuration in order to
improve security and more.
The current configuration needs of two public ip address because i dont know
how to configure the DomU (proxy) to have the public ip address without to
configure the same on the Dom0 which will share the same nic to the domU.
I am running debian lenny and i am sure many of you know about the problem
with the xen script which doesnt work in lenny.
So i decided to create a manual bridge in the /etc/networking/interfaces and
to leave the xen script without any changes.

What i wish to do is to don''t provide any public access to the dom0
(for
security reason and to keep the other ip address for other things).

Here is the current configuration :

Dom0  : host -> ( public ip : 195.xxx.xx.220 - private ip : 192.168.1.10)
DomU  : proxy -> (public ip : 195.xxx.xx.221 - private ip : 192.168.1.11 )
DomU  : php server -> private ip -> 192.168.1.12
DomU  : java server -> private ip -> 192.168.1.13
DomU  : db server -> private ip -> 192.168.1.14

and here is how i would like to change :

Dom0  : host -> ( private ip : 192.168.1.10)
DomU  : proxy -> (public ip : 195.xxx.xx.221 - private ip : 192.168.1.11 )
DomU  : php server -> private ip -> 192.168.1.12
DomU  : java server -> private ip -> 192.168.1.13
DomU  : db server -> private ip -> 192.168.1.14

and here the interface''s conf :

auto lo
iface lo inet loopback

auto xenbr0
iface xenbr0 inet static
        address xxxxxxx
        netmask 255.255.255.xxx
        network xxxxxxxx
        broadcast xxxxxxxx
        gateway xxxxxxx
        bridge_ports eth0
        bridge_stp off
        bridge_maxwait 0
        dns-nameservers xxx.xx
        dns-search xxx.com

auto xenbr1
iface xenbr1 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        network 192.168.200.0
        broadcast 192.168.200.255
        gateway xxx.129
        bridge_ports eth1
        bridge_stp off
        bridge_maxwait 0
        dns-nameservers xxx.5
        dns-search xxx.com

Could someone give me some advices or suggest on how to reach my target ?
I am working with the network-bridge .. should i use NAT or ROUTE xen
networking ?

The problem is when i tried to un-configure the eth0 in the Dom0 side with a
fixed and public ip .. it would not available for the DomU (proxy) as well

many thanks for any answering

N


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sun, Oct 18, 2009 at 02:28:39PM +0200, Mirco Santori wrote:
[...]
> What i wish to do is to don''t provide any public access to the
dom0 (for
> security reason and to keep the other ip address for other things).
[...]
> and here the interface''s conf :
> 
> auto lo
> iface lo inet loopback
> 
> auto xenbr0
> iface xenbr0 inet static
>         address xxxxxxx
>         netmask 255.255.255.xxx
>         network xxxxxxxx
>         broadcast xxxxxxxx
>         gateway xxxxxxx
>         bridge_ports eth0
>         bridge_stp off
>         bridge_maxwait 0
>         dns-nameservers xxx.xx
>         dns-search xxx.com
Just use "inet manual" instead of "inet static":

auto xenbr0
iface xenbr0 inet manual
	bridge_ports eth0
	bridge_stp off
	bridge_maxwait 0

With "inet manual" the network initialization scripts will just bring
the interface up without assigning an IP address - which is exactly
what you need for this bridge.
> auto xenbr1
> iface xenbr1 inet static
>         address 192.168.1.10
>         netmask 255.255.255.0
>         network 192.168.200.0
>         broadcast 192.168.200.255
>         gateway xxx.129
>         bridge_ports eth1
>         bridge_stp off
>         bridge_maxwait 0
>         dns-nameservers xxx.5
>         dns-search xxx.com
> 
> Could someone give me some advices or suggest on how to reach my target ?
> I am working with the network-bridge .. should i use NAT or ROUTE xen
> networking ?
Using NAT or ROUTE requires assigning a public IP to dom0 (which then
will be shared with domU when using NAT, or will be used as a gateway
when using ROUTE); only bridge networking can work without IP address
in dom0.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Sergey,

thank you for explaination .. now is actually much more clear.
It has resolved my problem and now works fine!!
thank you



2009/10/18 Sergey Vlasov <vsu@altlinux.ru>
> On Sun, Oct 18, 2009 at 02:28:39PM +0200, Mirco Santori wrote:
> [...]
> > What i wish to do is to don''t provide any public access to
the dom0 (for
> > security reason and to keep the other ip address for other things).
> [...]
> > and here the interface''s conf :
> >
> > auto lo
> > iface lo inet loopback
> >
> > auto xenbr0
> > iface xenbr0 inet static
> >         address xxxxxxx
> >         netmask 255.255.255.xxx
> >         network xxxxxxxx
> >         broadcast xxxxxxxx
> >         gateway xxxxxxx
> >         bridge_ports eth0
> >         bridge_stp off
> >         bridge_maxwait 0
> >         dns-nameservers xxx.xx
> >         dns-search xxx.com
>
> Just use "inet manual" instead of "inet static":
>
> auto xenbr0
> iface xenbr0 inet manual
>         bridge_ports eth0
>        bridge_stp off
>        bridge_maxwait 0
>
> With "inet manual" the network initialization scripts will just
bring
> the interface up without assigning an IP address - which is exactly
> what you need for this bridge.
>
> > auto xenbr1
> > iface xenbr1 inet static
> >         address 192.168.1.10
> >         netmask 255.255.255.0
> >         network 192.168.200.0
> >         broadcast 192.168.200.255
> >         gateway xxx.129
> >         bridge_ports eth1
> >         bridge_stp off
> >         bridge_maxwait 0
> >         dns-nameservers xxx.5
> >         dns-search xxx.com
> >
> > Could someone give me some advices or suggest on how to reach my
target ?
> > I am working with the network-bridge .. should i use NAT or ROUTE xen
> > networking ?
>
> Using NAT or ROUTE requires assigning a public IP to dom0 (which then
> will be shared with domU when using NAT, or will be used as a gateway
> when using ROUTE); only bridge networking can work without IP address
> in dom0.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkrbVGsACgkQW82GfkQfsqILsgCgj4GeKJqBZv/3NFf/bqRDdM6k
> fWIAn2l8ht74AOJ7RpPcd+br1WzBofsg
> =x51o
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users