Monday, January 08, 2007

 

Setting up a Xen DMZ using NAT and IPTables Filtering

Make sure you are using a version of Dom0 with kernel support for IP Tables. See my previous post on compiling Xen from source.

IP Tables option can be found in the kernel menuconfig configuration under

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> Core Netfilter Configuration ---> <*> Netfilter Xtables support (required for ip_tables)

Networking ---> Networking options ---> [*] Network packet filtering (replaces ipchains) ---> IP: Netfilter Configuration ---> <*> IP tables support (required for filtering/masq/NAT)

Setup the following options in /etc/xen/xend-config.sxp
(network-script network-nat)
(vif-script vif-nat)

Check (using ifconfig) that vif1.0 in Dom0 has an IP starting 10.0.0.*

Now edit your VM config file to set private local IP addresses
dhcp = "off"
vif = [ 'ip=10.0.0.1' ] <--the IP I want to assign to my VM
ip="10.0.0.1" <--add the above here again
gateway="10.0.0.128" <-- the internal IP address of my Dom0 vif1.0
netmask="255.255.255.0"

Similarly once you boot the VM you can update the above settings in /etc/network/interfaces file in DomU

auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.255.0
gateway 10.0.0.128

At this point you should be able to ping Dom0 and nodes on the internet from DomU and DomU from Dom0. However DomU is not accessible from the internet because of its private IP address. To address this we can create a DMZ where Dom0 forwards packets to DomU using IP Table rules. For instance if we have an SSHd service running in DomU, then we can enable port forwarding in Dom0 using

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 22 -j DNAT --to 10.0.0.1:22

A remote user who wants to SSH to DomU will simply give the Public IP of Dom0 while connecting via SSH.

Comments:
Very good, simple and easy, one question in the Dom0 when I Start a DomU the Vif changes, how can I fixed this, edit the vif1.0 on /etc/network/interfaces?

Thank you in advance
 
Actually, I think you cannot change it
 
Thank you, I fixed the problem with other way.
 
Hi,

I am currently trying to setup a nat configuration for my Xen VMs but the dom0 vif does not obtain a 10.0.0.* address. I did exactly as stated above. I will be grateful for any pointers!

Thanks!
Ramya
 
Great. Credit for your excellent entry.
 
Well It Was Very Nice Article It Is Very Useful For Linux Learners. We Are Also Providing Linux Online Courses Training. Our Linux Online Training Is One Of The Best Online Training Institute In The World.
 
Post a Comment



<< Home

This page is powered by Blogger. Isn't yours?