Monday, January 08, 2007
Setting up a Xen DMZ using NAT and IPTables Filtering
IP Tables option can be found in the kernel menuconfig configuration under
Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> <*> Netfilter Xtables support (required for ip_tables)
Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> <*> IP tables support (required for filtering/masq/NAT)Setup the following options in /etc/xen/xend-config.sxp
Check (using ifconfig) that vif1.0 in Dom0 has an IP starting 10.0.0.*
Now edit your VM config file to set private local IP addresses
dhcp = "off"
vif = [ 'ip=10.0.0.1' ] <--the IP I want to assign to my VM
ip="10.0.0.1" <--add the above here again
gateway="10.0.0.128" <-- the internal IP address of my Dom0 vif1.0
Similarly once you boot the VM you can update the above settings in /etc/network/interfaces file in DomU
iface eth0 inet static
At this point you should be able to ping Dom0 and nodes on the internet from DomU and DomU from Dom0. However DomU is not accessible from the internet because of its private IP address. To address this we can create a DMZ where Dom0 forwards packets to DomU using IP Table rules. For instance if we have an SSHd service running in DomU, then we can enable port forwarding in Dom0 using
iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 10.0.0.1:22
A remote user who wants to SSH to DomU will simply give the Public IP of Dom0 while connecting via SSH.