Hello, I am trying to set up a PVM (a the moment Ubuntu as guest and Ubuntu server as Dom0). The main issue is that the DomUs can''t get direct net access, because the access is restricted by a DHCP server that also functions as proxy to the outside of the network. The server controls the MAC address and only http is allowed as outgoing connection. So the domUs shouldn''t appear as independent machines in the network. What solution would you recommend? Kind regards, Philipp Schröter
Am Dienstag, 21. August 2012, 13:54:09 schrieb Schröter, Philipp:> I am trying to set up a PVM (a the moment Ubuntu as guest and Ubuntu server > as Dom0). The main issue is that the DomUs can''t get direct net access, > because the access is restricted by a DHCP server that also functions as > proxy to the outside of the network. The server controls the MAC address > and only http is allowed as outgoing connection. So the domUs shouldn''t > appear as independent machines in the network. What solution would you > recommend?...are you able to do NAT? If so just use your Dom0 as the "NAT router" for your DomUs. If you have more then one MAC available / known you might configure your DomUs with these MACs for their virtual ifaces. hth best regards, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Schröter, Philipp wrote:> Hello, > > I am trying to set up a PVM (a the moment Ubuntu as guest and Ubuntu server as Dom0). > The main issue is that the DomUs can''t get direct net access, because the access is restricted by a DHCP server that also functions as proxy to the outside of the network. The server controls the MAC address and only http is allowed as outgoing connection. So the domUs shouldn''t appear as independent machines in the network. > What solution would you recommend?If you are familiar with routers you can try OpenWrt, it has a very good build system that can generate Xen PV images directly, so you just need to create the image and use it directly or dd it to a hard drive partition or lvm lv. Then use this guest as you would use a normal router/firewall and make all your DomUs use this other DomU as gateway, proxy or whatever you need. Roger.
Am Dienstag, 21. August 2012, 13:17:43 schrieb Roger Pau Monne:> If you are familiar with routers you can try OpenWrt, it has a very good > build system that can generate Xen PV images directly, so you just need > to create the image and use it directly or dd it to a hard drive > partition or lvm lv. Then use this guest as you would use a normal > router/firewall and make all your DomUs use this other DomU as gateway, > proxy or whatever you need.This sound''s a bit like opverkill. Just to make shure what i'' had mean: In xend-config.sxp: (network-script network-nat) (vif-script vif-nat) (instead of i.e. bridging or normal routing scripts - never tried xens NAT scrip''s but i assume they do that what they are called ;). Or do it similiar by hand with: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT where eth0 is the "outgoing" network interface to LAN of the Dom0. cheers, Niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- _______________________________________________ Xen-users mailing list Xen-users@lists.xen.org http://lists.xen.org/xen-users
Hello again, thanks very much for all the answers. I have been very busy thus the lack of a prompt answer. Sorry for that.>...are you able to do NAT? > >If so just use your Dom0 as the "NAT router" for your DomUs. > >If you have more then one MAC available / known you might configure your DomUs >with these MACs for their virtual ifaces. > > >hth >best regards, > > >Niels. >-- > --- > Niels Dettenbach > Syndicat IT & Internet > http://www.syndicat.com > PGP: https://syndicat.com/pub_key.asc > ---Yeah, I think NAT is the way to go regarding my issues. The problem is that I only have one IP address, it''s linked to the MAC address of the server and I won''t get additional IP addresses.>In xend-config.sxp: > >(network-script network-nat) >(vif-script vif-nat) > > >(instead of i.e. bridging or normal routing scripts - never tried xens NAT >scrip''s but i assume they do that what they are called ;). > > > >Or do it similiar by hand with: > >echo 1 > /proc/sys/net/ipv4/ip_forward > >iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j >ACCEPT >iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > >where eth0 is the "outgoing" network interface to LAN of the Dom0. > > > >cheers, > >Niels. >-- > --- > Niels Dettenbach > Syndicat IT & Internet > http://www.syndicat.com > PGP: https://syndicat.com/pub_key.ascI tried that and it didn''t work for me. Just changing the Xen script from bridge to NAT didn''t help. I have two network interface controllers, eth0 and eth1. eth0 is the one that communicates with the network and has (limited, only http) access to the internet. That''s why I thought about using eth1 to connect the domU''s and dom0. For the domU cfg file I followed this guide https://help.ubuntu.com/community/Xen receiving the following cfg file name = "ubuntu-net" memory = 256 disk = [''phy:/dev/xenvg/ubuntu-net,xvda,w''] vif = [''ip=192.168.3.2''] kernel = "/var/lib/xen/images/ubuntu-netboot/vmlinuz" ramdisk = "/var/lib/xen/images/ubuntu-netboot/initrd.gz" extra = "debian-installer/exit/always_halt=true -- console=hvc0" which starts but doesn''t gain net access and thus can''t not be installed correct. I configured /etc/network/interfaces in this way: auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.3.1 network 192.168.3.0 netmask 255.255.255.0 broadcast 192.168.3.255 up /sbin/iptables -A FORWARD -o eth0 -i eth1 -s 192.168.3.0/16 -m conntrack --ctstate NEW -j ACCEPT up /sbin/iptables -A FORWARD -o eth0 -s 192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT up /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE up /etc/init.d/dnsmasq restart route tells me this: Destination Gateway Genmask Flags Metric Ref Use Iface default vrrp-sonst0010. 0.0.0.0 UG 100 0 0 eth0 141.42.152.0 * 255.255.254.0 U 0 0 0 eth0 192.168.3.0 * 255.255.255.0 U 0 0 0 eth1 and ifconfig this: eth0 Link encap:Ethernet HWaddr 00:30:48:bd:61:14 inet addr:141.42.152.159 Bcast:141.42.153.255 Mask:255.255.254.0 inet6 addr: fe80::230:48ff:febd:6114/64 Scope:Link eth1 Link encap:Ethernet HWaddr 00:30:48:bd:61:15 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1
Hello again, thanks very much for all the answers. I have been very busy thus the lack of a prompt answer. Sorry for that.>...are you able to do NAT? > >If so just use your Dom0 as the "NAT router" for your DomUs. > >If you have more then one MAC available / known you might configure your DomUs >with these MACs for their virtual ifaces. > > >hth >best regards, > > >Niels. >-- > --- > Niels Dettenbach > Syndicat IT & Internet > http://www.syndicat.com > PGP: https://syndicat.com/pub_key.asc > ---Yeah, I think NAT is the way to go regarding my issues. The problem is that I only have one IP address, it''s linked to the MAC address of the server and I won''t get additional IP addresses.>In xend-config.sxp: > >(network-script network-nat) >(vif-script vif-nat) > > >(instead of i.e. bridging or normal routing scripts - never tried xens NAT >scrip''s but i assume they do that what they are called ;). > > > >Or do it similiar by hand with: > >echo 1 > /proc/sys/net/ipv4/ip_forward > >iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE >iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j >ACCEPT >iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > >where eth0 is the "outgoing" network interface to LAN of the Dom0. > > > >cheers, > >Niels. >-- > --- > Niels Dettenbach > Syndicat IT & Internet > http://www.syndicat.com > PGP: https://syndicat.com/pub_key.ascI tried that and it didn''t work for me. Just changing the Xen script from bridge to NAT didn''t help. I have two network interface controllers, eth0 and eth1. eth0 is the one that communicates with the network and has (limited, only http) access to the internet. That''s why I thought about using eth1 to connect the domU''s and dom0. For the domU cfg file I followed this guide https://help.ubuntu.com/community/Xen receiving the following cfg file name = "ubuntu-net" memory = 256 disk = [''phy:/dev/xenvg/ubuntu-net,xvda,w''] vif = [''ip=192.168.3.2''] kernel = "/var/lib/xen/images/ubuntu-netboot/vmlinuz" ramdisk = "/var/lib/xen/images/ubuntu-netboot/initrd.gz" extra = "debian-installer/exit/always_halt=true -- console=hvc0" which starts but doesn''t gain net access and thus can''t not be installed correct. I configured /etc/network/interfaces in this way: auto eth0 iface eth0 inet dhcp auto eth1 iface eth1 inet static address 192.168.3.1 network 192.168.3.0 netmask 255.255.255.0 broadcast 192.168.3.255 up /sbin/iptables -A FORWARD -o eth0 -i eth1 -s 192.168.3.0/16 -m conntrack --ctstate NEW -j ACCEPT up /sbin/iptables -A FORWARD -o eth0 -s 192.168.0.0/16 -m conntrack --ctstate NEW -j ACCEPT up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT up /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE up /etc/init.d/dnsmasq restart route tells me this: Destination Gateway Genmask Flags Metric Ref Use Iface default vrrp-sonst0010. 0.0.0.0 UG 100 0 0 eth0 141.42.152.0 * 255.255.254.0 U 0 0 0 eth0 192.168.3.0 * 255.255.255.0 U 0 0 0 eth1 and ifconfig this: eth0 Link encap:Ethernet HWaddr 00:30:48:bd:61:14 inet addr:141.42.152.159 Bcast:141.42.153.255 Mask:255.255.254.0 inet6 addr: fe80::230:48ff:febd:6114/64 Scope:Link eth1 Link encap:Ethernet HWaddr 00:30:48:bd:61:15 inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 Best regards, Philipp