Xen users - Sep 2005 - howto do NAT from a bridged xenU on dual homed host with one public ip?

Hi,

I have a (fedora core 4) machine as follows:

eth0: public internet
eth1: 192.168.123.1

This host acts as a NAT-ing gateway for the internal network.
This works just fine.

On this host I have a (Fedora Core 4) domU that has:

eth0: 192.168.123.2
default gateway: 192.168.123.1.

I bridge eth1 to xen-br0 on the xen0 domain.

My problem:

I cannot reach the internet from the xenU domain.
How do I set it up? Outgoing packets do not seem to be natted.

Thanks,
Ron

-- 
Netland Internet Services
bedrijfsmatige internetoplossingen

http://www.netland.nl   Kruislaan 419              1098 VA Amsterdam
info: 020-5628282       servicedesk: 020-5628280   fax: 020-5628281

Op dit bericht is de volgende disclaimer van toepassing:
http://www.netland.nl/maildisclaimer

URA Redneck if you''ve ever bought a used cap.



_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Friday 02 September 2005 11:42, Ron Arts wrote:
> Hi,
>
> I have a (fedora core 4) machine as follows:
>
> eth0: public internet
> eth1: 192.168.123.1
>
> This host acts as a NAT-ing gateway for the internal network.
> This works just fine.
>
> On this host I have a (Fedora Core 4) domU that has:
>
> eth0: 192.168.123.2
> default gateway: 192.168.123.1.
>
> I bridge eth1 to xen-br0 on the xen0 domain.
>
> My problem:
>
> I cannot reach the internet from the xenU domain.
> How do I set it up? Outgoing packets do not seem to be natted.
incoming packages (from domU as well as from eth1) will appear as comming from 
"xen-br0" once xen is started.

You''ll have to adapt your nat scripts to use "xen-br0" as
"internal"/"dmz"
device.

Maybe you''ll also have to fix your routing tables on dom0 to use the
xen-br0
device instead of eth1.

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Friday 02 September 2005 12:10, you wrote:
> >>My problem:
> >>
> >>I cannot reach the internet from the xenU domain.
> >>How do I set it up? Outgoing packets do not seem to be natted.
> >
> > incoming packages (from domU as well as from eth1) will appear as
comming
> > from "xen-br0" once xen is started.
> >
> > You''ll have to adapt your nat scripts to use
"xen-br0" as
> > "internal"/"dmz" device.
> >
> > Maybe you''ll also have to fix your routing tables on dom0 to
use the
> > xen-br0 device instead of eth1.
>
> can you provide a few sample iptables commands for this to work?
>
Ok, some (untested) example:

eth0: 1.2.3.4, "world" device with official IP

192.168.1.0/24 is the natted subnet with 192.168.1.1 being the router, 
192.168.1.2 being the domU, rest of subnet attached to router on eth1

I''d start with creating the bridge myself, that way its up before xen,
and I
can start the networking/firewall before booting domU,
so configure eth1 WITHOUT IP address, create a bridge, say "br0", with
eth1
attached, set IP on br0 to 192.168.1.1, set netmask.
Routing table should now contain something like
# route -n
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0   br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         1.2.3.1     0.0.0.0         UG    0      0        0  eth0
and no references to eth1 in there

All of this might be doable with your distributions startup scripts, so 
nothing to code yourself this far...

now to setup your NAT rules, if you use something premade for your 
distribution, check its config, and replace every occurance of "eth1"
with
"br0"

bootup domU, change its config to attach its network to "br0" instead
of
"xen-br0"


otherwise, 
# iptables -t nat -A PREROUTING -i br0 -o eth1 -j SNAT --to 1.2.3.4 
might do the trick.

now domU should be natted, and the nat for boxes connected to eth1 should 
still work.

/Ernst

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users