Xen users - Jan 2013 - Using both NAT and Bridge networking on the same host

Hi,
I would like to use bridged networking for some domUs and NAT networking
for some other domUs, all on the same dom0. Currently, I only have the
bridged guests running. In xend-config.sxp, I''m not using any
network-script, as I have done the bridge setup manually. The vif-script
is currently set to vif-bridge.
Now I want to add some more domUs, but using NAT (I don''t have enough
public IPs on my hosted server). How can I do this without breaking the
bridged networking setup of the already running guests?
Or do I have to change to NAT networking altogether?
Cheers, Andreas.

PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack

I think the simple solution for this would be to:
1. Enable bridge mode
2. Connect the VMs to virbr0 if you want them to put them under NAT. You
can double check the result if the IP a VM under NAT is between the range
192.168.122.2 to 192.168.122.254

This is the solution working for me

On Sun, Jan 27, 2013 at 4:01 PM, Andreas Hilboll <lists@hilboll.de> wrote:
> Hi,
> I would like to use bridged networking for some domUs and NAT networking
> for some other domUs, all on the same dom0. Currently, I only have the
> bridged guests running. In xend-config.sxp, I''m not using any
> network-script, as I have done the bridge setup manually. The vif-script
> is currently set to vif-bridge.
> Now I want to add some more domUs, but using NAT (I don''t have
enough
> public IPs on my hosted server). How can I do this without breaking the
> bridged networking setup of the already running guests?
> Or do I have to change to NAT networking altogether?
> Cheers, Andreas.
>
> PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users
>


-- 
Team Lead,
Botnet Security Group,
SysNet Lab,
FAST-National University, H-11/4
A.K. Brohi Road, Islamabad, Pakistan
Voice: 00923038280828


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

On 01/27/2013 12:01 PM, Andreas Hilboll wrote:
> Hi,
> I would like to use bridged networking for some domUs and NAT networking
> for some other domUs, all on the same dom0. Currently, I only have the
> bridged guests running. In xend-config.sxp, I''m not using any
> network-script, as I have done the bridge setup manually. The vif-script
> is currently set to vif-bridge.
> Now I want to add some more domUs, but using NAT (I don''t have
enough
> public IPs on my hosted server). How can I do this without breaking the
> bridged networking setup of the already running guests?
> Or do I have to change to NAT networking altogether?
> Cheers, Andreas.
>
> PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack
Hi Andreas,
it''s possible by using the ''script'' attribute within
the vif definition.
The  xend-config just defines the ''default'' script.

<code>
vif = [''ip=10.0.0.YZ-AB.CD.EF.GH, vifname=vps-name-pub,
script=vif-nat-fw'']
</code>

The vif-nat-fw is my own script which is configuring the NAT on the fly 
based on the IP pair defined by the ''ip'' attribute. Of course
you can
also do the mixed setup with NATed and bridged domains.
For more information browse the /etc/xen/scripts directory.
All other questions are welcome. ;-)

Best regards,
--
Peter Viskup

Am So 27 Jan 2013 12:46:26 CET schrieb Peter Viskup:
> On 01/27/2013 12:01 PM, Andreas Hilboll wrote:
>> Hi,
>> I would like to use bridged networking for some domUs and NAT
networking
>> for some other domUs, all on the same dom0. Currently, I only have the
>> bridged guests running. In xend-config.sxp, I''m not using any
>> network-script, as I have done the bridge setup manually. The
vif-script
>> is currently set to vif-bridge.
>> Now I want to add some more domUs, but using NAT (I don''t have
enough
>> public IPs on my hosted server). How can I do this without breaking the
>> bridged networking setup of the already running guests?
>> Or do I have to change to NAT networking altogether?
>> Cheers, Andreas.
>>
>> PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack
>
> Hi Andreas,
> it''s possible by using the ''script'' attribute
within the vif
> definition. The  xend-config just defines the ''default''
script.
>
> <code>
> vif = [''ip=10.0.0.YZ-AB.CD.EF.GH, vifname=vps-name-pub,
> script=vif-nat-fw'']
> </code>
>
> The vif-nat-fw is my own script which is configuring the NAT on the
> fly based on the IP pair defined by the ''ip'' attribute.
Of course you
> can also do the mixed setup with NATed and bridged domains.
> For more information browse the /etc/xen/scripts directory.
> All other questions are welcome. ;-)
Thanks, Peter, works like a charm =)

Next question: I want to run a service on the domU which should be
accessible from the internet. So I guess I have to somehow insert the
appropriate iptables rules. Which would be the place to do that? I guess
you''re doing that in your vif-nat-fw script? If so, maybe you would be
willing to share this? Or should I set the rules ''globally'' as
post-up
in /etc/network/interfaces?

Cheers, Andreas.

On 01/27/2013 03:26 PM, Andreas Hilboll wrote:
> Am So 27 Jan 2013 12:46:26 CET schrieb Peter Viskup:
>> On 01/27/2013 12:01 PM, Andreas Hilboll wrote:
>>> Hi,
>>> I would like to use bridged networking for some domUs and NAT
networking
>>> for some other domUs, all on the same dom0. Currently, I only have
the
>>> bridged guests running. In xend-config.sxp, I''m not using
any
>>> network-script, as I have done the bridge setup manually. The
vif-script
>>> is currently set to vif-bridge.
>>> Now I want to add some more domUs, but using NAT (I don''t
have enough
>>> public IPs on my hosted server). How can I do this without breaking
the
>>> bridged networking setup of the already running guests?
>>> Or do I have to change to NAT networking altogether?
>>> Cheers, Andreas.
>>>
>>> PS: Running Xen 4.0.1 on Debian Squeeze/AMD64, using xm toolstack
>> Hi Andreas,
>> it''s possible by using the ''script''
attribute within the vif
>> definition. The  xend-config just defines the
''default'' script.
>>
>> <code>
>> vif = [''ip=10.0.0.YZ-AB.CD.EF.GH, vifname=vps-name-pub,
>> script=vif-nat-fw'']
>> </code>
>>
>> The vif-nat-fw is my own script which is configuring the NAT on the
>> fly based on the IP pair defined by the ''ip''
attribute. Of course you
>> can also do the mixed setup with NATed and bridged domains.
>> For more information browse the /etc/xen/scripts directory.
>> All other questions are welcome. ;-)
> Thanks, Peter, works like a charm =)
>
> Next question: I want to run a service on the domU which should be
> accessible from the internet. So I guess I have to somehow insert the
> appropriate iptables rules. Which would be the place to do that? I guess
> you''re doing that in your vif-nat-fw script? If so, maybe you
would be
> willing to share this? Or should I set the rules
''globally'' as post-up
> in /etc/network/interfaces?
>
> Cheers, Andreas.
No problem Andreas. The way to do it is up to you - depends on the 
design. I am doing the iptables NAT1:1 on the fly.
This is the diff -u from the vif-nat and my patched vif-nat-fw:

<code>
@@ -82,6 +75,10 @@
  if [ "$ip" = "" ]
  then
    ip=$(ip_from_dom)
+else
+# ip in format 10.0.0.5-80.94.54.5 meaning NAT
+  ext_ip=$(echo $ip | awk -F- ''{print $2}'')
+  ip=$(echo $ip | awk -F- ''{print $1}'')
  fi

@@ -161,6 +131,21 @@
                                       # are no vifs.
  }

+nat_1_to_1()
+{
+  if [ "$1" = "up" ]; then
+    IPTABLES="iptables -I"
+    IPTABLESNAT="iptables -t nat -I"
+  else
+    IPTABLES="iptables -D"
+    IPTABLESNAT="iptables -t nat -D"
+  fi
+  $IPTABLESNAT PREROUTING -i bond0 -s 0.0.0.0/0 -d $3 -j DNAT --to $2
+  $IPTABLESNAT POSTROUTING -o bond0 -s $2 -d 0.0.0.0/0 -j SNAT --to $3
+  $IPTABLES INPUT -i $vif -s $2 -d 0.0.0.0/0 -j ACCEPT
+  $IPTABLES FORWARD -s 0.0.0.0/0 -d $2 -j ACCEPT
+  $IPTABLES FORWARD -s $2 -d 0.0.0.0/0 -j ACCEPT
+}

@@ -175,9 +160,11 @@
          do_or_die ip route add "$vif_ip" dev "$vif" src
"$router_ip"
          echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
          [ "$dhcp" != ''no'' ] && dhcp_up
+       nat_1_to_1 up $ip $ext_ip
          ;;
      offline)
          [ "$dhcp" != ''no'' ] && dhcp_down
+       nat_1_to_1 down $ip $ext_ip
          do_without_error ifconfig "$vif" down
          ;;
  esac
</code>

All the iptables rules are applied calling the function nat_1_to_1(). In 
the beginning I just extract local IP and external IP from the pair of 
IPs defined by the ''ip'' vif''s attribute from domU
config.
Hope it''s clear.

The other way to do is to apply the same iptables rules on all machines 
in the environment. The rules become effective only in case the traffic 
will be routed to that machine. Or to implement OpenvSwitch (I plan this 
for the future).

--
Peter